Intermediate Certificate Missing?


#1

Hi. I use Stripe on one of our websites, and recently after switching over to a LE SSL certificate for that site our Stripe web hooks stopped working due to a TLS error. Stripe said the problem was due to an intermediate certificate missing which is confirmed by SSLLabs, which reports: “This server’s certificate chain is incomplete.”

This is how I have the SSL certs set up in our Apache conf file:

 <VirtualHost 104.36.149.180:443>
 DocumentRoot /home/artmgr/public-v6/www/
 ServerName kultureshock.net

 SSLEngine on
 SSLCertificateFile /etc/letsencrypt/live/kultureshock.net/fullchain.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/kultureshock.net/privkey.pem

 <Directory "/home/ks/www/">
	Require all granted
	AllowOverride All
 </Directory>
 </VirtualHost>

Is there something I’m missing in my .conf file above?

Thanks!


My domain is: https://kultureshock.net
My web server is (include version): Apache 2.4.6
The operating system my web server runs on is (include version): CentOS Linux 7.4
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


#2

while you’re in there you might want to add:
SSLHonorCipherOrder On

and reorder these highest to lowest (this may not work in v2.4.6):
SSLOpenSSLConfCmd Curves secp521r1:secp384r1:secp256r1:secp256k1


#3

That was unfortunately only added in Apache 2.4.8. :slightly_frowning_face: You need to use:

SSLCertificateFile /etc/letsencrypt/live/kultureshock.net/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/kultureshock.net/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/kultureshock.net/privkey.pem

#4

good catch!..


#5

Thanks a lot, that did the trick!


#6

I do already have SSLHonorCipherOrder set to On in my Apache .conf file.

But I don’t see any lines with SSLOpenSSLConfCmd in there.


#7

https://www.ssllabs.com/ssltest/analyze.html?d=kultureshock.net shows:
# TLS 1.2 (server has no preference)
# TLS 1.1 (server has no preference)
# TLS 1.0 (server has no preference)

So, you may have missed to also include:
SSLCipherSuite <your preferred chipher order>


#8

Here’s what I have in my .conf file, plus a few lines above and below:

SSLCompression off
SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on

I’m not really sure what CipherSuite is or does, so I appreciate your help in figuring this out.


#9

SSLCipherSuite defines “the list” of ciphers the server will accept/negotiate when establishing TLS connections - separated by colons (":").
The point of the command is to explicitly control which ciphers to allow and even which to deny.
Much like: SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
Explicitly defines which protocols to allow ("+") and which to deny ("-").
If you understand one, then you should understand the other - they go “hand-in-hand”.

If you want to understand more clearly what exactly any of them do:

  • EECDH+AESGCM
  • EDH+AESGCM
  • AES256+EECDH
  • AES256+EDH

you can use OpenSSL to show you what it considers to be in each “group”/“set” with this command:
for instance (depending on the version of OpenSSL…)
openssl ciphers 'EECDH+AESGCM'
would return something like this:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256
So in a sense the two are equal.
You could type:

  • SSLCipherSuite EECDH+AESGCM
    or type:
  • SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256

and your web server would react in exactly the same way to those two instructions.
You can also explicitly deny ciphers/“sets” - by using the “!” (bang symbol - here used as NOT)
This
SSLCipherSuite 'EECDH+AESGCM:!AES128'
Should shorten the list above by removing any ciphers using AES128.
openssl 'EECDH+AESGCM:!AES128'
shows:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
Which is the previous list but now without any AES128 ciphers.
The negation can come anywhere in the string (at the front, in the middle, or at the end, or spread throughout) it really doesn’t matter. A negation will negate through the entire result.
Enabling however will go in order left-to-right.
So, in your config, these “EECDH+AESGCM” will come before these “EDH+AESGCM” (whatever they may resolve to).

With those basic instructions and some common understanding you should be able to at least expand any of the SSLCipherSuite settings - be them in “sets” or by entire lines…
openssl ciphers 'SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'
returns:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA

Now even through the SSLCipherSuite is resolved in the order written and separated by colons, that actual order will only be applied/maintained if the additional command SSLHonorCipherOrder is set to on (which is not the default)


#10

Mozilla has a guide and tool for configuring TLS settings for Apache and other servers.

https://wiki.mozilla.org/Security/Server_Side_TLS

https://mozilla.github.io/server-side-tls/ssl-config-generator/

certbot --apache” will configure Apache based on the “intermediate compatibility” configuration by default.

(Note: I don’t know, but it wouldn’t shock me if Stripe or other API clients do not support the “modern” configuration.)


#11

Thank for that detailed explanation. Don’t really understand any of it, though. :slight_smile:

I do already have SSLHonorCipherOrder set to On in my .conf file, so, I’m going to assume I don’t need to change anything else. But if there’s something I should change, please let me know because I can’t figure out what I should change by your reply because it all goes over my head.


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.