Having trouble with certificate chain (missing R3)

tempelorg · December 21, 2022, 4:48pm

I am using Let's Encrypt certs on my own server (Deb 11), where I run Apache 2 as the web server.

I have checked my SSL certs here, and they're all fine: SSL Server Test: h1.tempel.org (Powered by Qualys SSL Labs)

However, I also run Jitsi on the server (also routed thru an Apache subdomain). And even though I use the very same cert for that subdomain as well, SSL Labs see an issue with it (as do some web browsers of some of my users): SSL Server Test: jitsi.tempel.org (Powered by Qualys SSL Labs)

How can that be? (someone suggested that it's because my server needs to deliver the R3 cert on its own, and while Apache does this somehow, the Jitsi server does not - but I have no idea how to fix that).

I searched the web for topics related to "jitsi missing r3" and found nothing on that.

I have asked the same question on the jitsi forum as well: Having trouble with certificate chain (Let's Encrypt, missing R3) - Install & Config - Jitsi Community Forum - developers & users

Bruce5051 · December 21, 2022, 5:52pm

Sorry @tempelorg but I know nothing about Jitsi.
Kindly wait for more knowledgeable Let's Encrypt community volunteers to assist.

tempelorg · December 21, 2022, 4:03pm

May I jump in here with a related question?

I am using Let's Encrypt certs on my own server (Deb 10), where I run Apache 2 as the web server.

I have checked my SSL certs here, and they're all fine: SSL Server Test: h1.tempel.org (Powered by Qualys SSL Labs)

However, I also run Jitsi on the server (also routed thru an Apache subdomain). And even though I use the very same cert for that subdomain as well, SSL Labs see an issue with it (as do some web browsers of some of my users): SSL Server Test: jitsi.tempel.org (Powered by Qualys SSL Labs)

How can that be? And how could I fix this? Or shall I open a new topic for this?

Bruce5051 · December 21, 2022, 4:14pm

Is not supplying this in the served chain:

Whereas:

Does serve that intermediate certificate in its chain.

tempelorg · December 21, 2022, 4:29pm

Thanks, Bruce.
So, you're saying that the server needs to deliver the R3 cert? I thought the browser would pull them from wherever the cert issuers provide them.

So the question is: Why does Jitsi not deliver the R3 cert. Couldn't find anything in the web on that topic, either. Damn. This should be easy - the install page for Jitsi clearly makes it sound like that, and it used to work fine before I upgraded to Deb 10 a few weeks ago, too.

Bruce5051 · December 21, 2022, 4:36pm

Yes for SSL Server Test (Powered by Qualys SSL Labs) to not "This server's certificate chain is incomplete. Grade capped to B."

MikeMcQ · December 21, 2022, 4:41pm

@tempelorg Please start a new Help topic with your questions. The answers to the form you are shown will help us. And, will not interfere with the activity for this thread. Thanks

tempelorg · December 21, 2022, 4:49pm

Done.

rg305 · December 21, 2022, 6:23pm

[merged all related posts]

tempelorg · December 21, 2022, 6:26pm

I've found the issue after reading Certificates – Prosody IM, and it had nothing to do with Jitsi, so asking here was the right place:

I had configured my webserver to deliver the "cert.pem" for SSL connections. That was incorrect. I had to change it to deliver the "fullchain.pem" instead. (And the other sites server by Apache also used that fullchain.cert file, and that's why it worked there)

I guess that have been obvious to anyone knowing anything about configuring a web server

system · January 20, 2023, 6:26pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.