Incomplete chain + Ubuntu with virtual hosts configuration

I have an ubuntu server running apache 2.2.22 with about 15 virtual hosts.
I created a single letsencrypt certificate that includes all my sites, and I added the .crt & .key files manually (copy & paste from letsencrypt) to /etc/apache2/ssl.
I edited http.conf, all the virtual host files and all the ,htaccess’s, and tested in several browsers on my desktop. Everything looked fine. That was about a month ago.

Problem is today I’ve tried it on my android mobile; on Opera mini & firefox I’m getting warnings that the certificate is not from a trusted authority (no warning on chrome).

I’ve tried one of my sites, cranefords.com, in https://www.ssllabs.com/ssltest/analyze.html?d=cranefords.com and I’m only getting a C. The summary says:
This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.
This server accepts RC4 cipher, but only with older protocols. Grade capped to B.
The server does not support Forward Secrecy with the reference browsers.
This server’s certificate chain is incomplete. Grade capped to B.

From what I’ve read it’s the incomplete chain that’s causing the warning on android. I’m not sure where the chain would have been created, what it looks like nor where it should go! Do you have any advice please?

I am just trying to get rid of the POODLE vulnerability (tho I can’t currently get any of these settings to make a difference https://www.ssl.com/how-to/disable-ssl-3-0-in-apache/). Will the RC4 & Forward Secrecy issues also cause problems in any some browsers?

Also, is there any reason not to combine all sites in a single certificate? (I thought it would be more manageable…)

Any pointers gratefully received!

Hi @chw,

Indeed, your site is missing the intermediate certificate, also called “chain certificate”. When you obtained your certificate from Let’s Encrypt, the Let’s Encrypt client that you used should have given you three files, not just two (end-entity certificate, intermediate certificate, and private key). All three are necessary to use in your web server configuration for a valid site configuration. A symptom of this is that browsers that don’t cache intermediate certificates or simply don’t happen to have Let’s Encrypt’s intermediate certificate cached will display an error.

What Let’s Encrypt client did you use?

None of these issues are likely to decrease browser compatibility; they just increase your vulnerability to cryptographic attacks by sophisticated attackers.

That’s totally fine to do.

Thanks Shoen. I used zerossl.com to generate the cert. I have reread their instructions, and they make a bit more sense now. They say:
Your certificate file contains both your domain certificate and the issuer’s certificate. Most modern web servers will accept them as is. However, old versions of Apache, Amazon Web Services (AWS) and some control panels would want them separately. In that case just split the certificate file in two, preserving BEGIN and END lines around both certificates. The first one is your domain certificate, the second one is the issuer’s, which in control panel interface may be called “Intermediate certificate”, “Certificate chain” or “CA Bundle”.

So, after a bit more reading I am thinking:
At the moment in /etc/apache2/ssl I have a .crt and a .key file. My .crt contains 2 certificates. I am going to take the 2nd one out of there and put it in a new .chain(?) file. And I’ll reference that with: SSLCertificateChainFile /etc/apache2/ssl/.chain in my virtual host files.

Does that sound correct?

Once I’ve done that, it should work in all modern browsers without any warnings??

Re the POODLE thing, I don’t suppose you have any tips for disabling SSL3 in apache 2.2.22 do you? The instructions given are:
For version 2.2.22 of Apache and earlier, please use the following format to only allow the TLS protocol. In this situation, TLSv1 is used as a wildcard to mean all TLS protocols:
SSLProtocol TLSv1

For Apache servers using the mod_ssl module, edit the Apache configuration file commonly located at /etc/httpd/conf.d/nss.conf to only allow TLS 1.0 and above:
NSSprotocol TLSv1.0, TLSv1.1

I’ve added the SSLProtocol to all by hosts and to my apache.conf, but the problem is still there. I don’t have a nss.conf file and apache complains if I add the NSSprotocol to my host files.

Thank you

Yay, that seemed to work. Just need to disable SSL 3 now…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.