Chain incomplete -- missing intermediate cert?

white-rabbit07 · February 21, 2020, 7:20pm

Hi.
I used the OPNSense-Firewall together with the LE-Plugin to generate a certificate for my server. Everything worked well … afterwards I downloaded the files from the firewall and put all files on the server:

-rwxr-x---  1 root  wheel  1648 Jan 29 10:08 ca.cer*
-rwxr-x---  1 root  wheel  3933 Jan 29 10:08 fullchain.cer*
-rwxr-x---  1 root  wheel  2285 Jan 29 10:08 server.meine-domain.de.cer*
-rwxr-x---  1 root  wheel  1700 Jan 29 10:08 server.meine-domain.de.csr*
-rwxr-x---  1 root  wheel  3243 Nov 21 11:32 server.meine-domain.de.key*

When I connect via openssl s_client -connect server.meine-domain.de:443
I always get a chain that is too short.
I know it should look like this:

---
Certificate chain
 0 s:CN = server.meine-domain.de
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

But instead I always get just these lines:

CONNECTED(00000005)
depth=0 CN = server.meine-domain.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = server.meine-domain.de
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:CN = server.meine-domain.de
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
---

The chain is not complete … it’s too short. But the ca.cer is there…!
What’s wrong here? What’s missing? Thanks for a good hint.

bruncsak · February 21, 2020, 7:50pm

The fullchain.cer contains the directly signing, intermediate certificate, you may want to use that one in the web server.

white-rabbit07 · February 21, 2020, 7:58pm

In this case I used samba-ad-dc with SSL (so it’s on port 636 instead of 443).
The config looks like this:

tls enabled = yes
tls keyfile = /etc/ssl/server.meine-domain.de.key
tls certfile = /etc/ssl/server.meine-domain.de.cer
tls cafile = /etc/ssl/ca.cer
tls verify peer = ca_and_name

I already tried to change ca.cer <--> fullchain.cer and restarted samba … with no effect. The message is still the same…

bruncsak · February 21, 2020, 8:00pm

Try that way:
tls certfile = /etc/ssl/fullchain.cer

white-rabbit07 · February 21, 2020, 8:03pm

That’s it! Great! Thank you very much!

schoen · February 21, 2020, 9:39pm

Unfortunately in some software cafile or equivalent means something different from what you would expect. (it can sometimes mean “CA to use to verify client certificates” or “CA to use to verify our outbound connections” or something like that.)

I’m glad @bruncsak’s solution worked and I hope other people with the same problem will find this thread with that solution.

system · March 22, 2020, 9:39pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.