Intermediate Certificate

My domain is: Indianamat.com

I ran this command:
https://www.ssllabs.com/ssltest/analyze.html?d=indianamat.com

It produced this output: This server’s certificate chain is incomplete. Grade capped to B. Basically missing intermediate certificate when I go post links on Facebook and Twitter. When I use the Facebook sharing debugger I get this
SSL Error: Can’t validate SSL Certificate. Either it is self-signed (which will cause browser warnings) or it is invalid.
Curl Error: Curl error: 60 (SSL_CACERT)

My web server is (include version): Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.21

The operating system my web server runs on is (include version): Linux

My hosting provider, if applicable, is: Local Company

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.36.0

1 Like

How did you get and install the certificate in the first place?

I used certbot to install it

Sorry, my crystal ball isn’t working since last weekend… Therefore, I cannot read your mind on how exactly you got and installed the certificate. Which command line parameters were used exactly?

When the certificate is actually installed by certbot without any manual tampering to the Apache configuration, this error would not occur.

I used what was on the Certbot website, it was about a year ago so I am not exactly certain how I did it other than following the commands on the Certbot website.

Please output the results of:

cat /etc/letsencrypt/renewal/indianamat.com.conf

This is still a bit vague…
Does your system have a “history” ?
[maybe you could use that to look back in time at what was executed … a year ago]

Can you also post the Apache virtual host for https://indianamat.com/?

version = 0.36.0
archive_dir = /etc/letsencrypt/archive/indianamat.com
cert = /etc/letsencrypt/live/indianamat.com/cert.pem
privkey = /etc/letsencrypt/live/indianamat.com/privkey.pem
chain = /etc/letsencrypt/live/indianamat.com/chain.pem
fullchain = /etc/letsencrypt/live/indianamat.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = apache
installer = apache
account = 3ea8e2820ad8b41306d382284e5c2173
server = https://acme-v02.api.letsencrypt.org/directory

The history was cleared about 6 months ago, so I don’t have anything there from when I installed it.

<VirtualHost *.80>
ServerAdmin joe@indianamat.com
ServerName indianamat.com
ServerAlias www.indianamat.com
DocumentRoot /var/www/html
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.indianamat.com [OR]
RewriteCond %{SERVER_NAME} =indianamat.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

That looks good. :slightly_smiling_face: (I think.)

Can you also post the HTTPS, port 443 virtual host?

Here you go

<IfModule mod_ssl.c>
<VirtualHost *.80:443>
  ServerAdmin joe@indianamat.com
  ServerName indianamat.com
  ServerAlias www.indianamat.com
  DocumentRoot /var/www/html
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/indianamat.com-0001/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/indianamat.com-0001/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/indianamat.com-0001/chain.pem
</VirtualHost>
</IfModule>

Hm, it looks like there are multiple certificate “lineages” on your server for the same website…

Could you also post the output of certbot certificates?

The SSL settings in that block look valid.

Wait, what does that do? A hostname or IP of “*.80”? Your public IP doesn’t end in *.80.

Could requests be going to another virtual host?

What does “sudo httpd -t -D DUMP_VHOSTS” show?

4 Likes

Yeah! Most likely this block is being ignored/bypassed.

1 Like
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: indianamat.com-0001
Domains: indianamat.com
Expiry Date: 2019-12-29 13:13:03+00:00 (VALID: 32 days)
Certificate Path: /etc/letsencrypt/live/indianamat.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/indianamat.com-0001/privkey.pem
Certificate Name: indianamat.com
Domains: indianamat.com www.indianamat.com
Expiry Date: 2019-12-29 13:13:13+00:00 (VALID: 32 days)
Certificate Path: /etc/letsencrypt/live/indianamat.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/indianamat.com/privkey.pem
Certificate Name: www.indianamat.com
Domains: www.indianamat.com
Expiry Date: 2019-12-29 13:13:18+00:00 (VALID: 32 days)
Certificate Path: /etc/letsencrypt/live/www.indianamat.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.indianamat.com/privkey.pem


[Tue Nov 26 23:30:46.664707 2019] [core:error] [pid 18503] (EAI 2)Name or service not known: AH00547: Could not resolve host name *.80 – ignoring!
[Tue Nov 26 23:30:47.534213 2019] [core:error] [pid 18503] (EAI 2)Name or service not known: AH00547: Could not resolve host name *.80 – ignoring!
VirtualHost configuration:
*:443 indianamat.com (/etc/httpd/conf.d/ssl.conf:56)

And that’s the only VirtualHost? That’s the complete output?

This doesn’t make sense.

Your SSLCertificate* directives are correct. You’ve configured the chain correctly! If that configuration is being used, and you haven’t tampered with Certbot’s files, the chain issue reported by SSL Labs is not possible. :confused:

For that matter, the “Include /etc/letsencrypt/options-ssl-apache.conf” setting means that the “This server does not support Forward Secrecy with the reference browsers.” issue reported by SSL Labs also probably shouldn’t be happening.

You should remove the extra “.80” from the VirtualHost. It probably shouldn’t cause these issues? But if nothing else, it’s probably causing wasteful DNS queries.

Is it possible that Apache hasn’t actually been reloaded or restarted recently, and it’s running off a different configuration?

Could there be SSLCertificate* settings directly in Apache’s main configuration file, or another included file, outside of any VirtualHosts?

Is that the VirtualHost you pasted earlier? /etc/httpd/conf.d/ssl.conf, starting at line 56?

Can an Apache expert confirm what’s happening? Is Apache ignoring the erroneous hostname? Is it ignoring the entire VirtualHost specified with the erroneous hostname?

1 Like

Where else should I look for the Virtual Host? Server stuff isn’t my thing, but I can usually find everything I need once told what I need to look for.

I’ll restart apache, just to take that potential issue away.

1 Like