Chain missing or incomplete

Bousquet · December 15, 2020, 3:00pm

My web server is (include version): Apache 2.4.6

The operating system my web server runs on is (include version): CentOS 7.9

I can login to a root shell on my machine : Yes

I'm using a control panel to manage my site : Webmin/Virtualmin

Hello,

until yesterday everything worked fine, but since today I have a problem with our internet shop. The bank is OK for the online payment but does not return to our shop.

The bank says:
SSL certificate problem: unable to get local issuer certificate

The messages of ssl checkers says
Incomplete certificate chain / verification server down / invalid signature chains
or
TLS Certificate is not trusted
or Chain cert missing

What can I do?

Thank You.

JuergenAuer · December 15, 2020, 3:09pm

Hi @Bousquet

see your check, ~~20 minutes old - https://check-your-website.server-daten.de/?q=mielbio.fr#connections - the #connections part.

Your server sends only the certificate, not the required intermediate certificate.

The port 465 has the wrong domain name, but there you see the correct chain.

Port 443 must have the same.

But: I don't know how virtualmin handles that.

Normally: Use fullchain.pem instead of cert.pem.

fullchain.pem contains cert.pem and the intermediate certificate.

rg305 · December 15, 2020, 4:01pm

Can't handle fullchain.pem
It requires cert.pem & chain.pem

Bousquet · December 15, 2020, 5:16pm

Thank You for Your answers.
How can I get these cert.pem and chain.pem ? I am sorry for these questions but I don't know what to do.

I have some other sites on the same server, e.g. www.apiculteur-bio.fr . This certificate is working fine without error, created by webmin.

Thank You.

JuergenAuer · December 15, 2020, 5:27pm

Then compare both configurations.

It's more a problem how to do that with webmin. I don't know - I don't use webmin.

JuergenAuer · December 15, 2020, 5:29pm

Oh, what's that.

A simple Google-search webmin certificate chain:

https://www.virtualmin.com/node/35815

There is a part

Server Configuration -> Manage SSL Certificates -> CA Certificate.

Looks like you use the new R3 intermediate certificate the first time, so you have to add the cert there.

Bousquet · December 15, 2020, 5:45pm

Webmin configuration for mielbio.fr
Same thing for apiculture-bio.fr

JuergenAuer · December 15, 2020, 5:50pm

There you see your problem.

That's not the new R3 certificate, that's the old intermediate you use.

So that can't work with a new created certificate, the error is expected.

PS: apiculture-formation.com has the old certificate, so that's correct.

Bousquet · December 15, 2020, 5:56pm

Dear Jürgen, I am sorry that I cannot see what You see. I guess that probably all my other certificates might not work anymore too when they are renewed ?

Please tell me what I have to do to fix that.

Thank You very much.

griffin · December 15, 2020, 7:50pm

Replace the ssl.ca file (shown in the image in your previous post) with this file:

https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem

It is the correct CA intermediate certificate for newly issued Let's Encrypt certificates.

This is the old one, which you are currently using:

https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem

schoen · December 15, 2020, 8:15pm

Also, if you're using an up-to-date version of Webmin, consider letting the Webmin developers know that they seem to have hard-coded the old intermediate certificate, or at least that they're apparently not properly handling changes in the intermediate certificate (such as the one that took place recently).

_az · December 15, 2020, 8:26pm

According to the comments in that commit, you can also fix this by having Certbot installed, which will avoid the behavior where the chain is hardcoded.

rg305 · December 15, 2020, 11:48pm

Verification failing after last renewal - Help - Let's Encrypt Community Support

mod_ssl - Apache HTTP Server Version 2.4

griffin · December 16, 2020, 1:10am

So fullchain (via SSLCertificateChainFile) appears to be deprecated in apache...

The files may also include intermediate CA certificates, sorted from leaf to root. This is supported with version 2.4.8 and later, and obsoletes SSLCertificateChainFile.

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile

_az · December 16, 2020, 1:33am

The Apache docs can claim it is deprecated, but until CentOS 7 EOL (July 2024) it won't really be the case.

rg305 · December 16, 2020, 10:41am

knows nothing of the deprecation.

Bousquet · December 17, 2020, 11:27am

Hello Griffin,

Thank You.
I copied the .pem of your link in my file ssl.ca but it is not better.

griffin · December 17, 2020, 6:35pm

Did you replace the file entirely or did you try to combine them?

rg305 · December 18, 2020, 2:37am

Please show the lines in the vhost config where you use the cert/chain/etc.

Bousquet · December 19, 2020, 3:33pm

Hello,
I replaced the text which was in the ssl.ca with the https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem.

Then I changed in this file

x3 -> r3

Now it works, thank You very much !!!

I guess I need to do the same changement for the ssl.ca files for all other websites on this server too ?

Grateful greetings.