Intermediate chain missing on Azure, please help

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: loadbalancer.22dao.org

I ran this command: sudo certbot certonly --email contact@22dao.org -d loadbalancer.22dao.org --agree-tos --manual

It produced this output: a key, I converted it to a pfx and uploaded it as a certificate to an azure load balancer

My web server is (include version):

The operating system my web server runs on is (include version): Azure gateway

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hello and welcome to the community @22dao

It fails to validate on some clients because you do not send any intermediate certificates (the chain). I do not know how to do that on Azure but this is why it is failing. Use a site like this to see the missing chain. Use this same site with a website like this one to see what it should look like.
https://decoder.link/sslchecker/loadbalancer.22dao.org/443

Hi Mike, thanks for the reply! How do I make sure I have the full chain?

This was the tutorial I used: Automating Azure Application Gateway SSL certificate renewals with Let’s Encrypt and Azure Automation (intelequia.com)
Down at the "Installing the Let’s Encrypt certificate by the first time on the Gateway" section

Did I lose part of it when I was converting the chain

I still don't know I was hoping that was enough of a clue for you. Otherwise wait for an Azure expert to assist. I am going to change your title to signal that.

So I generated the certificates on a linux vm and then converted the pfx format using this conversation. Then I uploaded them to azure, so I think it has to do with the export/conversion process. Anything stand out?

This was the conversion command
sudo openssl pkcs12 -inkey <loadbalancer.pem path> -in <loadbalancer.cert path> -export -out loadbalancer.pfx

I think I fixed the problems with the SSL Checker (decoder.link)

but am still ruinning into some problems, any ideas??

Generate your PFX with the ISRG Root X1 chain (not the default DST Root CA X3 which is not really valid on windows). If using certbot use the fullchain.pem file for your cert (this includes the intermediates). You also need to set a PFX password for it to be used on Azure.

If you can use Azure Key vault you can automated this with https://certifytheweb.com (the app I develop) - with that you would generate a certificate with a password (set under Certificate > Advanced > Signing & Security) and add a Deploy To Azure Key Vault task, then configure your gateway to pickup it's cert from Key Vault (if possible). That way, subsequent automatic renewals will push the new cert to key vault and keep the cert up to date (I think! I haven't tried Azure Gateway).

Is this what you mean by using the fullchain.pem file as the cert? or should should it be used as the -in file?

sudo openssl pkcs12 -inkey /etc/letsencrypt/live/loadbalancer.22dao.org/privkey.pem -in /etc/letsencrypt/live/loadbalancer.22dao.org/cert.pem --certfile /etc/letsencrypt/live/loadbalancer.22dao.org/fullchain.pem -export -out ~/loadbalancer.22dao.org.pfx

Try:

sudo openssl pkcs12 -export \
 -in    /etc/letsencrypt/live/loadbalancer.22dao.org/fullchain.pem \
 -inkey /etc/letsencrypt/live/loadbalancer.22dao.org/privkey.pem \
 -out  ~/loadbalancer.22dao.org.pfx

Perfect, thanks!! This fixed it

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.