Invalid Intermediate - Spring Boot

Knubb · November 14, 2023, 11:17pm

My domain is:
https://theodorkohler.com

I ran this command:

openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out keystore.p12 -name tomcat -CAfile chain.pem -caname root

This command comes from another post

It produced this output:

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/theodorkohler.com-0001/fullchain.pem
Key is saved at: /etc/letsencrypt/live/theodorkohler.com-0001/privkey.pem
This certificate expires on 2024-02-12.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

My web server is:
Java Spring Boot 3.1.5

The operating system my web server runs on is:
Debian 11 ( Raspberry Pi OS)

My hosting provider, if applicable, is:
Not applicable

I can login to a root shell on my machine:
Yes

I'm using a control panel to manage my site:
No

The version of my client is:
Certbot 2.7.4

I then added the .p12 file to Spring Boot in the application.properties

server.port=443
server.ssl.enabled=true
server.ssl.key-store=<path-to-keystore>
server.ssl.key-store-password=<password>
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=tomcat

But accordning to whynopadlock.com

Invalid Intermediate
You have an invalid or missing intermediate (bundle) certificate. 
This may not break your padlock on all browsers, but will on others. 
Please contact your SSL Vendor for assistance with this error.

And as you can observe by visiting the website the certification is not valid. From what I've googled Invalid Intermediate can be caused by an incorrect installation of the certification on the webserver. But I don't know what in my installation process is wrong.

rg305 · November 14, 2023, 11:28pm

Hi @Knubb, and welcome to the LE community forum

This usually means something has not gone according to plan:

Let's have a look at:

`certbot certificates`

Knubb · November 14, 2023, 11:58pm

$ certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: theodorkohler.com
    Serial Number: fa8e5d6e942a89d8103b56a9c014d679f938
    Key Type: ECDSA
    Domains: theodorkohler.com
    Expiry Date: 2024-02-12 21:07:28+00:00 (INVALID: TEST_CERT)
    Certificate Path: /etc/letsencrypt/live/theodorkohler.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/theodorkohler.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

rg305 · November 15, 2023, 12:04am

This:

Doesn't match this:

Knubb:

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/theodorkohler.com-0001/fullchain.pem
Key is saved at: /etc/letsencrypt/live/theodorkohler.com-0001/privkey.pem

Knubb · November 15, 2023, 12:55am

I'm sorry. I've been trying to solve this all day and things got mixed up. I started all over with a new certification and this is what is looks like now.

/etc/letsencrypt/live $ tree
.
├── README
└── theodorkohler.com
    ├── cert.pem -> ../../archive/theodorkohler.com/cert1.pem
    ├── chain.pem -> ../../archive/theodorkohler.com/chain1.pem
    ├── fullchain.pem -> ../../archive/theodorkohler.com/fullchain1.pem
    ├── keystore.p12
    ├── privkey.pem -> ../../archive/theodorkohler.com/privkey1.pem
    └── README

1 directory, 7 files

$ certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: theodorkohler.com
    Serial Number: 49f8cd211ab0e8f24512da7dfbf0857eec2
    Key Type: ECDSA
    Domains: theodorkohler.com
    Expiry Date: 2024-02-12 23:18:23+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/theodorkohler.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/theodorkohler.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

With this new certificate installed the website is secure. I think the problem was that
I used the --test-cert flag on the sudo certbot certonly --standalone command because it had previously not worked and I didn't want to us up my 5 tries per hour. This resulted in files being created in /etc/letsencrypt/live/theodorkohler.com/ which looked like legitimate certificates but were in fact in invalid as can be seen in my previous post (INVALID: TEST_CERT).

Thank you for the help @rg305

system · December 15, 2023, 12:55am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.