Letsencrypt Bitnami Wordpress intermediate/chain cert missing


#1

WordPress 4.7.2, running on Apache 2.4.23 :

Bitnami Wordpress Lightsail

Linux 3.13 generic

Was it installed as the root user?
Lightsail Bitnami wordpress installation

Is there anything you’ve done and/or tried with the application before posting here?

No

E.g. changed permissions or installed a plugin:

Used lightsail with a bitnami web server to launch a wordpress server. Then went to this tutorial to install the letsencrypt client: https://docs.bitnami.com/aws/components/apache/#how-to-install-the-lets-encrypt-client

I followed the guide exactly, by copying over the server cert key and pem to the correct folders. After using ssl checker online, the issue is that there seems to be “intermediate/fullchain certificate” error I get. I believe “fullchain” cert and key needs to be copied over or is missing, would anyone be able to guide me through this issue?

Basically the code I ran to copy over the server cert and key was as follows:

sudo cp /etc/letsencrypt/live/DOMAIN/cert.pem /opt/bitnami/apache2/conf/server.crt
sudo cp /etc/letsencrypt/live/DOMAIN/privkey.pem /opt/bitnami/apache2/conf/server.key

In the end I can run the code above if I knew the file name of the intermediate/chain cert or key is.


#2

Yes you have this exactly. Your version of Apache is new enough that you can simply copy across fullchain.pem instead of the cert.pem you’re copying now. You should find it’s right there in the same directory.

The fullchain.pem has the certificate for your site and the intermediate in one file, your Apache version understands what to do in this case. Older ones needed the separate chain.pem but yours does not.


#3

Rather than copy the files, I’d suggest changing the config (or create a symlink) to point to the certs in /etc/letsencrypt/live/DOMAIN/ so that at renewal time, you only need to obtain a new cert, and reload apache.


#4

It looks like bitnami edited their documentation based on this question. Thanks so much @tialaramex for confirming my assumption.

In the end I deleted and added a new instance. I just wanted to inform others that when I reinstalled certbot letsencrypt client it was throwing me an dns record error.

So just make sure you update the A record to the correct ip address your host is providing you in your new instance.


#5

So I have edited the following httpd.vhosts.conf to :

    <VirtualHost *:80>
ServerName test.com
ServerAlias www.test.com
DocumentRoot "/opt/bitnami/apps/wordpress/htdocs"

  Include "/opt/bitnami/apps/wordpress/conf/httpd-app.conf"
</VirtualHost>

<VirtualHost *:443>
ServerName test.com
ServerAlias www.test.com
DocumentRoot "/opt/bitnami/apps/wordpress/htdocs"
SSLEngine on
SSLCertificateFile "/opt/bitnami/apps/wordpress/conf/certs/server.crt"
SSLCertificateKeyFile "/opt/bitnami/apps/wordpress/conf/certs/server.key"
SSLCertificateChainFile "/opt/bitnami/apps/wordpress/conf/certs/fullchain.pem"
Include "/opt/bitnami/apps/wordpress/conf/httpd-app.conf"
</VirtualHost>

is this correct? If not, which file is needed and the location?

I am also getting an error stating " httpd could not restart". I’m assuming it’s because of the certs not pointing to the right location.


#6

In 2.4 you don’t use SSLCertificateChainFile anymore. However, you want fullchain.pem, not cert.pem, to be server.crt. The SSLCertificateFile for Apache 2.4 should contain both the leaf certificate and the intermediate certificate, which fullchain.pem does.

You can think of the cert.pem and chain.pem files as effectively intended for Apache 2.2, not 2.4.

@serverco’s suggestion about symbolic links rather than copying is also valuable here.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.