Help with broken ssl chain

Please i have the following error:

https://www.sslshopper.com/ssl-checker.html#hostname=https://paperlesssolutionsltd.com.ng:8443

The certificate works on windows IIS, but i'm unable to gt the full cert chain on non- IIS servers.

Details:

Hi @CharlesOkwuagwu

see https://check-your-website.server-daten.de/?q=paperlesssolutionsltd.com.ng#connections

Your port 443 and your mail ports are good.

But your port 8443 doesn't send the intermediate certificate, that's the error SSL Checker has reported.

The header of that port doesn't send a Server software header. What's running there?

If you have used Certbot to create the certificate.

Use fullchain.pem instead of cert.pem.

2 Likes

Thanks for this reply.

I used le64 from

my script:

le64 --key account-key.txt --csr domain-csr.txt --csr-key domain-key.txt --crt domain-crt.txt --domains "www.paperlesssolutionsltd.com.ng,paperlesssolutionsltd.com.ng,mail.paperlesssolutionsltd.com.ng" --generate-missing --unlink --live

i'm using an erlang/elixir server : GitHub - CrowdHailer/Ace: HTTP web server and client, supports http1 and http2

it accepts the following ssl config:

 certfile: Application.app_dir(@app, "priv/cert.pem"),
 keyfile: Application.app_dir(@app, "priv/cert.key"),
 port: 8443

I have no idea what I'm doing wrong

With Certbot, you would use

fullchain.pem instead of cert.pem, that's all. fullchain.pem contains cert.pem and the Letsencrypt intermediate certificate, that's the missing certificate.

Isn't there a file chain.pem or fullchain.pem?

If chain.pem, combine cert.pem and chain.pem (via a normal txt editor) in one file and use that.

If not, download it from

the R3.

1 Like

You want me to combine like so:

my-cert
chain-cert downloaded from LE

into one file?

okay

Yes, that's the format of one file with the end- and the intermediate certificate.

See the content of my own certificate

Certificate *.server-daten.de

-----BEGIN CERTIFICATE-----
MIIEnjCCA4agAwIBAgISA79eh9UWWe0Yp+4XQZtSJrXYMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMDEyMDgxNzQ4MTBaFw0yMTAzMDgxNzQ4MTBaMBwxGjAYBgNVBAMM
ESouc2VydmVyLWRhdGVuLmRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEZYnAWpIC
bleW2ZpUsXYuUJ+efVTVCggR1ADs4yp9nUR0ljHST4JVKTe9vUQLOGpr6nFZeJbE
6wRIZCoP3RMuAGr198dwyRUx22dO7oOo9AVeydqV6uLLLbsW8PrCoLcpo4ICcDCC
AmwwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQjcQY1xcfJ6WR1MPhS9kzXOJLKazAf
BgNVHSMEGDAWgBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcw
IQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYW
aHR0cDovL3IzLmkubGVuY3Iub3JnLzAtBgNVHREEJjAkghEqLnNlcnZlci1kYXRl
bi5kZYIPc2VydmVyLWRhdGVuLmRlMBEGCCsGAQUFBwEYBAUwAwIBBTBMBgNVHSAE
RTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRw
Oi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3
AJQgvB6O1Y1siHMfgosiLA3R2k1ebE+UPWHbTi9YTaLCAAABdkOurmIAAAQDAEgw
RgIhANLJn7n5KFhrCFDyzGVC5BANOC8fsfgGsx9pO5NGq7fkAiEAkS8Eq8/ieI0N
fHomE41wbnZJet5s5b2P9ZBKQP0DgIYAdQB9PvL4j/+IVWgkwsDKnlKJeSvFDngJ
fy5ql2iZfiLw1wAAAXZDrq6sAAAEAwBGMEQCIEfJvXxURU+GijF1DBTjTqibqL45
ZSntMKHGcgbr2Ts7AiAlnqXxBESiEz7Yn82GWHe+khHmEVv/DkGLDbdQt24qgzAN
BgkqhkiG9w0BAQsFAAOCAQEAABxNwDZNNPG0+Gkvs+hnDndH3zWMUhUXLYVrBMbQ
FkvXlroje2kKULfbTB2gXsCPCwM1+faLFdsx9XBHfMt6wraObV9PKymQYpzkPL0s
0OpJS85w+pNCnb4kC/bKL0Ec2d0ZxnHnbemRE0fLUgvMeXeRo8NJjTY8G2cqlbJ/
I6ATagYCGekVVjIAQlzLZsJYwgJzrslgFt67jaecOqRy+sSZ2c+A/g3quxeAnSKN
UXHR6D4Rd7R5din25A6XPhIqjy3rZ8LKY3U7akFR+YUmydlS0thDJwMtyFGKcplT
KKcPaxxGDSgbxs/EXDINCS3/tyO2lhXKZdzIgCQpAP4D4g==
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
-----END CERTIFICATE-----

If you use Windows: Copy both parts in single files, file extension .crt, then you can see the certificate.

1 Like

still fails:

https://www.sslshopper.com/ssl-checker.html#hostname=https://paperlesssolutionsltd.com.ng:8443

my cert.pem:

-----BEGIN CERTIFICATE-----
MIIGiTCCBXGgAwIBAgISBJEvL3uT8YZMvG0HGiFugEe9MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTAyMDUxMTAyNTNaFw0yMTA1MDYxMTAyNTNaMCsxKTAnBgNVBAMT
IHd3dy5wYXBlcmxlc3Nzb2x1dGlvbnNsdGQuY29tLm5nMIICIjANBgkqhkiG9w0B
AQEFAAOCAg8AMIICCgKCAgEA/pJFz2InXO8UiTggt3ThP3tiIiipVWfGzteHLI7S
6VhJRjv+/W+Mcu5EXXdVum/1ZTe6E1Ko/i0qrqvwvBNhuCCI0EnK5H299jAICt0/
JnSTDp1JDz2k7Nm0MIiIEZfvaIRXuoopR4iM91svIku6D3rzZ+OwoTUvZXvEscky
pBJc+fVUJvfnGhDwLqLXvXyzXqapKphrGxAAHD2GzxOEGo33N3N97m18qbyeG+hA
UOcIRVfLP2jPrWDolKchtM9AyUj4lAiMsPU7Jc+Rt6AnMyTr1hsXduUCNNn3i/h/
s7Kg3xIo++izDhC9Qj5Pedgy2pbZ6z4ZMKQ9UsPGHJ6X3BmT7lgX796nGeaySC+L
HqwBtoAlFMwE96i4yNEhFlQuM5roNhlVc4Vv5yyvtVNtxoYMGpsrJ0upAWHmJ+0J
UJVlCcemng+7eSfNBrdZ1XvSvHxSqPEOmmn7gqdBzad3PKj9inkibtmSqt9gNOGR
RzI0DZK8CE52LUrqBNrUsifmE8uw/FQ11+7eahL65b0nNj0wreExONb0aQEYOR1/
/4YXK742K3l4hZn5r/sIuzgYFFIZwIKckYi821EHE3ugwPG3asBXBaZ9vSZ5CFt+
vAzedpTNV3nN/55KlqHhll98FF6JQAFNsGRY5kcWC2SVv/KRIczrfVm2R/USVXOX
iWcCAwEAAaOCAp4wggKaMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUnReY/FdZAB8x
NTbPm+A1kBqwgAYwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYI
KwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcw
IgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wbAYDVR0RBGUwY4Ih
bWFpbC5wYXBlcmxlc3Nzb2x1dGlvbnNsdGQuY29tLm5nghxwYXBlcmxlc3Nzb2x1
dGlvbnNsdGQuY29tLm5ngiB3d3cucGFwZXJsZXNzc29sdXRpb25zbHRkLmNvbS5u
ZzBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUF
BwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQYGCisGAQQB1nkCBAIE
gfcEgfQA8gB3AESUZS6w7s6vxEAH2Kj+KMDa5oK+2MsxtT/TM5a1toGoAAABd3IS
1lkAAAQDAEgwRgIhAODIbmogAX5fAQ8pKfAlEbZMFJYqksp3iInqCepNymN3AiEA
zdJOaSOHe2A78x9thbdf8WCndV/rPVLw0tME6hzpW6QAdwD2XJQv0XcwIhRUGAgw
lFaO400TGTO/3wwvIAvMTvFk4wAAAXdyEtZZAAAEAwBIMEYCIQD8FomGRVUtXy5e
XByxhM383UUKt+35L217GUAZ7FUgjwIhANrw1gax+fOWp6qRLpBFDz7S3D9SL5RA
KHWQYOJmM8ciMA0GCSqGSIb3DQEBCwUAA4IBAQCU1EzS7Lt1hAZ4+WtPisM+B8R/
RKJ72PTE+E8dHB+SlNeFoJGpj5Z4FO9bp69fdOcG6D2NxJBDVc1VCR7Gx20Sxngs
wm9CexnRlsRaWuXLTJoxn/QoQ+kEWRIIYVXaa7MmlkljpTGLHkBHpwOT7/rtmgpB
geUmgjia+hlah2jltYP6QwhXriOXuhUU/DltAm8S2yS8ITtIIe/0yCXy3CilY7Um
0qtQW5lDecCqZtYlBGwNtoJbAWJrAnlMavdlM6Z1ziRh33BiPQXKNFfBk2P9kBmA
Yud7vIIOK5SB5KhZ45WWm2Tmu2ZsHPu+iaDR+rQB68BOi1aQY0P6+JbY6V1j
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----

Your file is correct, checked both certificates.

Did you restart your port 8443 server?

Checked with OpenSsl

openssl s_client -connect paperlesssolutionsltd.com.ng:8443

your server doesn't send the intermediate certificate.

1 Like

that's strange.

I will try with a different erlang server to see what's going wrong.

There

is another option:

config = %{greeting: "Hello"}
options = [port: 8443, certfile: "path/to/certificate", keyfile: "path/to/key"]

MyApp.start_link(application, options)

May be that overrides your definition.

2 Likes

that is the exact place we specify our ssl config. no , it does not override

https://www.sslshopper.com/ssl-checker.html#hostname=https://paperlesssolutionsltd.com.ng:333

this is using GitHub - elli-lib/elli: Simple, robust and performant Erlang web server

same result

yes I restarted it. I restart each time i update the cert

SOLVED!

2 Likes

Ah, thanks reporting back :+1:

So

      cacertfile: Application.app_dir(@app, "priv/cert.pem"),
      certfile: Application.app_dir(@app, "priv/cert.pem"),
      keyfile: Application.app_dir(@app, "priv/cert.key")

pointing to the same file containing both certificates helps.

And the upgrade to a newer version.

2 Likes

also i was advised to add a line between the two certs

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.