Chain missing or incomplete

My domain is: mielbio.fr

My web server is (include version): Apache 2.4.6

The operating system my web server runs on is (include version): CentOS 7.9

I can login to a root shell on my machine : Yes

I'm using a control panel to manage my site : Webmin/Virtualmin

Hello,

until yesterday everything worked fine, but since today I have a problem with our internet shop. The bank is OK for the online payment but does not return to our shop.

The bank says:
SSL certificate problem: unable to get local issuer certificate

The messages of ssl checkers says
Incomplete certificate chain / verification server down / invalid signature chains
or
TLS Certificate is not trusted
or Chain cert missing

What can I do?

Thank You.

1 Like

Hi @Bousquet

see your check, ~~20 minutes old - https://check-your-website.server-daten.de/?q=mielbio.fr#connections - the #connections part.

Your server sends only the certificate, not the required intermediate certificate.

The port 465 has the wrong domain name, but there you see the correct chain.

Port 443 must have the same.

But: I don't know how virtualmin handles that.

Normally: Use fullchain.pem instead of cert.pem.

fullchain.pem contains cert.pem and the intermediate certificate.

1 Like

Can't handle fullchain.pem
It requires cert.pem & chain.pem

2 Likes

Thank You for Your answers.
How can I get these cert.pem and chain.pem ? I am sorry for these questions but I don't know what to do.

I have some other sites on the same server, e.g. www.apiculteur-bio.fr . This certificate is working fine without error, created by webmin.

Thank You.

2 Likes

Then compare both configurations.

It's more a problem how to do that with webmin. I don't know - I don't use webmin.

1 Like

Oh, what's that.

A simple Google-search webmin certificate chain:

There is a part

Server Configuration -> Manage SSL Certificates -> CA Certificate.

Looks like you use the new R3 intermediate certificate the first time, so you have to add the cert there.

1 Like

Webmin configuration for mielbio.fr
Same thing for apiculture-bio.fr

1 Like

There you see your problem.

That's not the new R3 certificate, that's the old intermediate you use.

So that can't work with a new created certificate, the error is expected.

PS: apiculture-formation.com has the old certificate, so that's correct.

1 Like

Dear Jürgen, I am sorry that I cannot see what You see. I guess that probably all my other certificates might not work anymore too when they are renewed ?

Please tell me what I have to do to fix that.

Thank You very much.

1 Like

Replace the ssl.ca file (shown in the image in your previous post) with this file:

https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem

It is the correct CA intermediate certificate for newly issued Let's Encrypt certificates.

This is the old one, which you are currently using:

https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem

2 Likes

Also, if you're using an up-to-date version of Webmin, consider letting the Webmin developers know that they seem to have hard-coded the old intermediate certificate, or at least that they're apparently not properly handling changes in the intermediate certificate (such as the one that took place recently).

1 Like

According to the comments in that commit, you can also fix this by having Certbot installed, which will avoid the behavior where the chain is hardcoded.

2 Likes

Verification failing after last renewal - Help - Let's Encrypt Community Support

mod_ssl - Apache HTTP Server Version 2.4

1 Like

So fullchain (via SSLCertificateChainFile) appears to be deprecated in apache... :thinking:

The files may also include intermediate CA certificates, sorted from leaf to root. This is supported with version 2.4.8 and later, and obsoletes SSLCertificateChainFile.

1 Like

The Apache docs can claim it is deprecated, but until CentOS 7 EOL (July 2024) it won't really be the case. :sob:

3 Likes

knows nothing of the deprecation.

1 Like

Hello Griffin,

Thank You.
I copied the .pem of your link in my file ssl.ca but it is not better.

2 Likes

Did you replace the file entirely or did you try to combine them?

2 Likes

Please show the lines in the vhost config where you use the cert/chain/etc.

1 Like

Hello,
I replaced the text which was in the ssl.ca with the https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem.

Then I changed in this file


x3 -> r3

Now it works, thank You very much !!!

I guess I need to do the same changement for the ssl.ca files for all other websites on this server too ?

Grateful greetings.

2 Likes