Intermediate Certificate

IndianaJoe · November 26, 2019, 4:33pm

I ran this command:
https://www.ssllabs.com/ssltest/analyze.html?d=indianamat.com

It produced this output: This server’s certificate chain is incomplete. Grade capped to B. Basically missing intermediate certificate when I go post links on Facebook and Twitter. When I use the Facebook sharing debugger I get this
SSL Error: Can’t validate SSL Certificate. Either it is self-signed (which will cause browser warnings) or it is invalid.
Curl Error: Curl error: 60 (SSL_CACERT)

My web server is (include version): Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.21

The operating system my web server runs on is (include version): Linux

My hosting provider, if applicable, is: Local Company

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.36.0

Osiris · November 26, 2019, 4:34pm

How did you get and install the certificate in the first place?

IndianaJoe · November 26, 2019, 4:35pm

I used certbot to install it

Osiris · November 26, 2019, 4:36pm

Sorry, my crystal ball isn’t working since last weekend… Therefore, I cannot read your mind on how exactly you got and installed the certificate. Which command line parameters were used exactly?

When the certificate is actually installed by certbot without any manual tampering to the Apache configuration, this error would not occur.

IndianaJoe · November 26, 2019, 5:11pm

I used what was on the Certbot website, it was about a year ago so I am not exactly certain how I did it other than following the commands on the Certbot website.

Osiris · November 26, 2019, 5:14pm

Please output the results of:

cat /etc/letsencrypt/renewal/indianamat.com.conf

rg305 · November 26, 2019, 5:17pm

This is still a bit vague...
Does your system have a "history" ?
[maybe you could use that to look back in time at what was executed … a year ago]

mnordhoff · November 26, 2019, 5:19pm

Can you also post the Apache virtual host for https://indianamat.com/?

IndianaJoe · November 26, 2019, 6:23pm

version = 0.36.0
archive_dir = /etc/letsencrypt/archive/indianamat.com
cert = /etc/letsencrypt/live/indianamat.com/cert.pem
privkey = /etc/letsencrypt/live/indianamat.com/privkey.pem
chain = /etc/letsencrypt/live/indianamat.com/chain.pem
fullchain = /etc/letsencrypt/live/indianamat.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = apache
installer = apache
account = 3ea8e2820ad8b41306d382284e5c2173
server = https://acme-v02.api.letsencrypt.org/directory

IndianaJoe · November 26, 2019, 6:24pm

The history was cleared about 6 months ago, so I don’t have anything there from when I installed it.

IndianaJoe · November 26, 2019, 6:29pm

<VirtualHost *.80>
ServerAdmin joe@indianamat.com
ServerName indianamat.com
ServerAlias www.indianamat.com
DocumentRoot /var/www/html
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.indianamat.com [OR]
RewriteCond %{SERVER_NAME} =indianamat.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

mnordhoff · November 26, 2019, 8:02pm

That looks good. (I think.)

Can you also post the HTTPS, port 443 virtual host?

IndianaJoe · November 26, 2019, 8:20pm

Here you go

<IfModule mod_ssl.c>
<VirtualHost *.80:443>
  ServerAdmin joe@indianamat.com
  ServerName indianamat.com
  ServerAlias www.indianamat.com
  DocumentRoot /var/www/html
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/indianamat.com-0001/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/indianamat.com-0001/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/indianamat.com-0001/chain.pem
</VirtualHost>
</IfModule>

Osiris · November 26, 2019, 8:35pm

Hm, it looks like there are multiple certificate “lineages” on your server for the same website…

Could you also post the output of certbot certificates?

mnordhoff · November 26, 2019, 9:00pm

The SSL settings in that block look valid.

Wait, what does that do? A hostname or IP of "*.80"? Your public IP doesn't end in *.80.

Could requests be going to another virtual host?

What does "sudo httpd -t -D DUMP_VHOSTS" show?

rg305 · November 26, 2019, 11:31pm

Yeah! Most likely this block is being ignored/bypassed.

IndianaJoe · November 27, 2019, 4:30am

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: indianamat.com-0001
Domains: indianamat.com
Expiry Date: 2019-12-29 13:13:03+00:00 (VALID: 32 days)
Certificate Path: /etc/letsencrypt/live/indianamat.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/indianamat.com-0001/privkey.pem
Certificate Name: indianamat.com
Domains: indianamat.com www.indianamat.com
Expiry Date: 2019-12-29 13:13:13+00:00 (VALID: 32 days)
Certificate Path: /etc/letsencrypt/live/indianamat.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/indianamat.com/privkey.pem
Certificate Name: www.indianamat.com
Domains: www.indianamat.com
Expiry Date: 2019-12-29 13:13:18+00:00 (VALID: 32 days)
Certificate Path: /etc/letsencrypt/live/www.indianamat.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.indianamat.com/privkey.pem

IndianaJoe · November 27, 2019, 4:31am

[Tue Nov 26 23:30:46.664707 2019] [core:error] [pid 18503] (EAI 2)Name or service not known: AH00547: Could not resolve host name *.80 – ignoring!
[Tue Nov 26 23:30:47.534213 2019] [core:error] [pid 18503] (EAI 2)Name or service not known: AH00547: Could not resolve host name *.80 – ignoring!
VirtualHost configuration:
*:443 indianamat.com (/etc/httpd/conf.d/ssl.conf:56)

mnordhoff · November 27, 2019, 5:45am

And that's the only VirtualHost? That's the complete output?

This doesn't make sense.

Your SSLCertificate* directives are correct. You've configured the chain correctly! If that configuration is being used, and you haven't tampered with Certbot's files, the chain issue reported by SSL Labs is not possible.

For that matter, the "Include /etc/letsencrypt/options-ssl-apache.conf" setting means that the "This server does not support Forward Secrecy with the reference browsers." issue reported by SSL Labs also probably shouldn't be happening.

You should remove the extra ".80" from the VirtualHost. It probably shouldn't cause these issues? But if nothing else, it's probably causing wasteful DNS queries.

Is it possible that Apache hasn't actually been reloaded or restarted recently, and it's running off a different configuration?

Could there be SSLCertificate* settings directly in Apache's main configuration file, or another included file, outside of any VirtualHosts?

Is that the VirtualHost you pasted earlier? /etc/httpd/conf.d/ssl.conf, starting at line 56?

Can an Apache expert confirm what's happening? Is Apache ignoring the erroneous hostname? Is it ignoring the entire VirtualHost specified with the erroneous hostname?

IndianaJoe · November 27, 2019, 3:57pm

Where else should I look for the Virtual Host? Server stuff isn't my thing, but I can usually find everything I need once told what I need to look for.

I'll restart apache, just to take that potential issue away.

Topic		Replies	Views
Certbot certificate not secure Help	6	1217	January 17, 2023
Incomplete, Extra intermediate chain certificate Help	10	2623	January 29, 2021
Invalid or missing intermediate certificate Help	22	1804	December 9, 2022
Invalid or missing intermediate (bundle) certificate Help	9	632	April 20, 2023
Intermediate certificate Help	6	540	November 30, 2021

Intermediate Certificate

Options used in the renewal process

Related topics