MacOS Sierra, Chrome and let's encrypt certificates


#1

Hi,

I’m using, and still work fine, let’s encrypt certificates for our https and wss services, are servers that expose WebRTC based services using Chrome as client default browser.

Since i’ve updated to new MacOS “Sierra” the browser (Chrome) stop accepting SSL certificates on port different from 443.

If i call the site via https on pert 443 the browser correctly detect the certificate and set it as trusted, but if I try to connect in HTTPS to any other port the certificate valid at port 443 is not anymore valid.

This happens only under macOS Sierra and not on other OSX versions with Chrome, just to explain, same version of Chrome 53.xxxx on MacOS Sierra does not trust Let’s Encrypt certificate if not exposed on port 443 (Not valid CA Chrome says) same Chrome version, 53.xxxx, but on MacOSX El Capitan or previous, accept the Let’s Encrypt certificate as trusted.

What I’ve to do? People are saying that is the certificate not correct for TLS but it worked until macOS has been updated and does not work only under macOS Sierra.

Have any suggest to solve the issue, mainly are let’s encrypt certificates valid certificates for SSL/TLS and can be used with port different from 443?

Looking forward to hearing from you, best regards,
Roberto


#2

It doesn’t matter what ports/protocols the certs are used with as long as it fits the TLS server and TLS client EKUs (not S/MIME or code signing). The likely cause is that your webserver is sending the correct chain but your other servers are not.


#3

This issue has more details about why this only affects Sierra. Prior to Sierra, Chrome would fetch the intermediate certificate automatically, but an API change broke that. Either way, including the intermediate (chain) certificate would be the better approach in terms of performance and compatibility. You can use SSL Labs to verify you’re sending the complete certificate chain.


#4

Hi cool110,

yep, I know, that is why I’m here asking about, because until I used Chrome on MacOS Sierra (the latest released few days ago) everything is working fine, if you go to our server with Chrome on Windows10, as example, you do not have any issue and the web socket service exposed on port 10044 is trusted by chrome too.

But if I use Chrome on macOS Sierra it starts telling me that the certificate, valid on port 443 is not anymore valid on port 10044 and as motivation it returns:

There are issues with the site’s certificate chain (net::ERR_CERT_AUTHORITY_INVALID).

here below two snapshot of same domain accessed on port 443 and on port 10042

here the server response on port 443:

I CANNOT PUT THE SNAPSHOT BECAUSE I’M “NEWBIE” :^((
BUT ITS REPRESENTS A CORRECT SECURITY OVERVIEW WITH NO ISSUES

here the server response on port 10042:

When writing this reply pfg answered me about the Sierra issue…

So there is anything I can do?

And Anyway why the server of my french colleagues that uses a GlobalTrust Certificate does not be affected by the issue and also if wss is exposed on port 10032 it works fine in Sierra too?

Thank you for your patience and support,
regards,
Roberto


#5

As I said it’s that the wss server isn’t configured correctly to send the chain cert, other servers work because they are configured correctly.

Assuming that you used Certbot or a client with the same naming scheme to obtain your cert, change cert.pem to fullchain.pem in the server configuration and restart it.


#6

Hi cool110!

Yes, you are right! i change the order of certificates and it works fine now!

Thank you!!!

regards,
Roberto


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.