Invalid or missing intermediate certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cprint.arivo.com

I ran this command: several free SSL checkers online

It produced this output: chain is incomplete, No Intermediate/Chain certificate were found

My web server is (include version): Source Technologies ST9815 (printer embedded web server)

The operating system my web server runs on is (include version): Not sure

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): no

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Using the embedded web server

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

I generated the CSR on the printer, then used Certbot to generate the certificate. After installation, I get the padlock showing the site is secure, but when I verify the domain using several different SSL checkers online, they all show that I'm missing the intermediate certificate. I have installed the chain.pem file that was generated, but can't get it to present the intermediate certificate.

Anyone familiar with installing these certificates on printers? I've tried everything I can think of, but can't get it to work.

Printers are the worst, aren't they.

I haven't managed to install anything on my printer yet (it doesn't support TLS 1.2 or ECDSA, despite those being fairly common at the time it was created), so I don't know if I can help you that much. Can you give a screenshot or something of how you load the certificate onto the device? It may be as simple as using fullchain.pem instead of cert.pem or something along those lines.

I can't connect to that host on port 443, so I can't check it myself, but note that many online chain validators are not handeling the expired DST Root CA X3 cert well. So perhaps everything is just fine.

Printers are definitely not my favorite.

Sure, the screenshots below show the Cert Management section on the printer. It has you generate a cert, then from that cert, download the CSR, and upload the signed cert.

image729×504 34.5 KB

Ok, thanks, good to know. It definitely seems fine from everything I can see, but it's causing problems with one of our vendors trying to print via IPP.

Using https://www.redirect-checker.org/ I see a redirect that is one I am less familiar with, also the redirect is https on Port 4343.
http://cprint.arivo.com/
307 Temporary Redirect
https://cprint.arivo.com:4343/
200 OK

image1080×1012 67 KB

Sorry, I had https traffic limited to specific IP's on the firewall. It should be working on 443 now.

In your Device Certificates, did you try uploading fullchain.pem from your certbot ../live/ folder? It looks like only the cert.pem is there (so, missing intermediates).

fullchain.pem is your leaf with the full intermediate chain

The CA section looks like a trusted root section which is a different thing

Using SSL Server Test (Powered by Qualys SSL Labs)
for the domain name SSL Server Test: cprint.arivo.com (Powered by Qualys SSL Labs) I see

image1184×958 24.8 KB

Unfortunately, your not sending the chain (now that you opened port 443 I could check), so my previous hopeful statement was false in this case, sorry.

@MikeMcQ When using a separate CSR with Certbot, there is no /live/ folder.

Huh. thanks. Is there still a fullchain.pem somewhere?

I'm not sure, actually. There are a bunch of files saved to the current working directory, prefixed with weird numbers like 000_ and 001_ I believe. I dunno of there's a fullchain or just the chain (and cert).

@gregt Do you have a manual you can share? I looked at that vendor site but the manual online does not mention that cert creation page.

Using certbot you don't need to create a CSR in advance. You can just request a cert and certbot makes one. I was thinking if you did that you could just use the Import button to upload the resulting fullchain.pem file.

I don't have experience with that device and without any manual it's just guessing based on what I've seen with other systems. Still, it's worth a try. Peter was suggesting similar in the second post.

Some devices won't let you upload the corresponding private key, but instead generate one and keep it for itself. Thus requiring a CSR.

Oh, right. That makes more sense given Greg's description.

@Osiris - It did create 3 files - 0000_cert.pem, 0000_chain.pem and 0001_chain.pem. It looks like the 0001_chain.pem has the chain and cert.

@MikeMcQ - Unfortunately, it seems that manuals for these printers don't give any direction for the certificates. I inherited this printer without any documentation, and the user guides I've found are probably the same you found.

I did try creating the cert without the CSR from the printer, and was able to import it, but the printer wouldn't use it. It didn't work until I created the CSR. The import requires a .pfx file, so I'm working on getting it converted, but I'm still trying to figure out how to get the private key from the printer.

Printers are the worst.

Your screenshot also showed a button with "Certificate Auto Update". What does that do? Perhaps something automated, perhaps something using Let's Encrypt?

Interesting the Server banner Lexmark_Web_Server
While the printer itself claims it is Source Technologies ST9815

Ah, and here is likely the reason
https://customer.scc-inc.com/Products/Printers/Source%20Technologies%20ST9815

Do you really want the Internet connecting to your printer?