Chain missing or incomplete

Thank You for Your answers.
How can I get these cert.pem and chain.pem ? I am sorry for these questions but I don't know what to do.

I have some other sites on the same server, e.g. www.apiculteur-bio.fr . This certificate is working fine without error, created by webmin.

Thank You.

2 Likes

Then compare both configurations.

It's more a problem how to do that with webmin. I don't know - I don't use webmin.

1 Like

Oh, what's that.

A simple Google-search webmin certificate chain:

There is a part

Server Configuration -> Manage SSL Certificates -> CA Certificate.

Looks like you use the new R3 intermediate certificate the first time, so you have to add the cert there.

1 Like

Webmin configuration for mielbio.fr
Same thing for apiculture-bio.fr

1 Like

There you see your problem.

That's not the new R3 certificate, that's the old intermediate you use.

So that can't work with a new created certificate, the error is expected.

PS: apiculture-formation.com has the old certificate, so that's correct.

1 Like

Dear Jürgen, I am sorry that I cannot see what You see. I guess that probably all my other certificates might not work anymore too when they are renewed ?

Please tell me what I have to do to fix that.

Thank You very much.

1 Like

Replace the ssl.ca file (shown in the image in your previous post) with this file:

https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem

It is the correct CA intermediate certificate for newly issued Let's Encrypt certificates.

This is the old one, which you are currently using:

https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem

3 Likes

Also, if you're using an up-to-date version of Webmin, consider letting the Webmin developers know that they seem to have hard-coded the old intermediate certificate, or at least that they're apparently not properly handling changes in the intermediate certificate (such as the one that took place recently).

1 Like

According to the comments in that commit, you can also fix this by having Certbot installed, which will avoid the behavior where the chain is hardcoded.

2 Likes

Verification failing after last renewal - Help - Let's Encrypt Community Support

mod_ssl - Apache HTTP Server Version 2.4

1 Like

So fullchain (via SSLCertificateChainFile) appears to be deprecated in apache... :thinking:

The files may also include intermediate CA certificates, sorted from leaf to root. This is supported with version 2.4.8 and later, and obsoletes SSLCertificateChainFile.

1 Like

The Apache docs can claim it is deprecated, but until CentOS 7 EOL (July 2024) it won't really be the case. :sob:

3 Likes

knows nothing of the deprecation.

1 Like

Hello Griffin,

Thank You.
I copied the .pem of your link in my file ssl.ca but it is not better.

2 Likes

Did you replace the file entirely or did you try to combine them?

2 Likes

Please show the lines in the vhost config where you use the cert/chain/etc.

1 Like

Hello,
I replaced the text which was in the ssl.ca with the https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem.

Then I changed in this file


x3 -> r3

Now it works, thank You very much !!!

I guess I need to do the same changement for the ssl.ca files for all other websites on this server too ?

Grateful greetings.

2 Likes

Sounds right to me. :blush:

I just don't understand why they're pinning the intermediate certificate. That's a recipe for failure.

1 Like

There also isn't any need to do that, as their fallback ACME client (for which the intermediate pinning was build) outputs the complete chain when issuing a certificate. No need to pin the intermediate at all. I replied as such on that Github commit.

4 Likes

Thank you for opening this thread, it helped solving my problem.

2 Likes