MacOS X and iOS rejecting Cert

TIAnetEncrypt · September 30, 2021, 3:18am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: VirtualHost configuration:

*:443 default (/etc/apache2/sites/0000_127.0.0.1_34543_.conf:1)

*:80 is a NameVirtualHost

default server fortunata.teleinteractive.net (/etc/apache2/sites/0000_127.0.0.1_34580_.conf:1)

port 80 namevhost fortunata.teleinteractive.net (/etc/apache2/sites/0000_127.0.0.1_34580_.conf:1)

port 80 namevhost press.teleinteractive.net (/etc/apache2/sites/0000_127.0.0.1_80_press.teleinteractive.net.conf:1)

alias blogs.teleinteractive.net

alias www.teleinteractive.net

alias blog.teleinteractive.net

alias press.teleinteractive.net

I ran this command: n/a

It produced this output: n/a

My web server is (include version): Apache/2.4.28 (Unix)

The operating system my web server runs on is (include version): Mac OS X 10.11.6

My hosting provider, if applicable, is: self collocated at MacStadium

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Apple Server.app v5.2

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.6.0

Statement: I last used certbot on August 3. Today, as with so many others, the certificates are not recognized by our Mac OS (older and current on various machines) and iOS14.8. I use a script from the Let’s Encrypt community to convert the fullchain.pem into a P12 certificate for Apple Server. This certificate handles our email and website. The script is:


#!/bin/sh

PEM_FOLDER="/etc/letsencrypt/live/fortuna.teleinteractive.net/"
LOG_FOLDER="/Users/dipaolantonio/Documents/sslcerts/letsencrypt/lets_script/logs"
DATE=$(date +"%d-%m-%y")
LOG_FILE="${LOG_FOLDER}/${DATE}.log"

# Generate a passphrase - UNCOMMENT THE NEXT LINE AFTER THE TEST RUN WORKED
PASS=$(openssl rand -base64 45 | tr -d /=+ | cut -c -30)

# Transform the pem files into a OS X Valid p12 file - UNCOMMENT THE NEXT LINE AFTER THE TEST RUN WORKED
sudo openssl pkcs12 -export -inkey "${PEM_FOLDER}privkey.pem" -in "${PEM_FOLDER}cert.pem" -certfile "${PEM_FOLDER}fullchain.pem" -out "${PEM_FOLDER}letsencrypt_sslcert.p12" -passout pass:$PASS

# import the p12 file in keychain - UNCOMMENT THE NEXT LINE AFTER THE TEST RUN WORKED
sudo security import "${PEM_FOLDER}letsencrypt_sslcert.p12" -f pkcs12 -k /Library/Keychains/System.keychain -P $PASS -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd

The PEM folder contains


sudo ls -al /etc/letsencrypt/live/fortuna.teleinteractive.net/
Password:
total 64
drwxr-xr-x  8 root  wheel   272 Aug  3 12:13 .
drwxr-xr-x  4 root  wheel   136 Sep 28  2017 ..
-rw-r--r--  1 root  wheel   543 Sep 28  2017 README
lrwxr-xr-x  1 root  wheel    52 Aug  3 12:13 cert.pem -> ../../archive/fortuna.teleinteractive.net/cert23.pem
lrwxr-xr-x  1 root  wheel    53 Aug  3 12:13 chain.pem -> ../../archive/fortuna.teleinteractive.net/chain23.pem
lrwxr-xr-x  1 root  wheel    57 Aug  3 12:13 fullchain.pem -> ../../archive/fortuna.teleinteractive.net/fullchain23.pem
-rw-r--r--  1 root  wheel  9957 Aug  3 12:19 letsencrypt_sslcert.p12
lrwxr-xr-x  1 root  wheel    55 Aug  3 12:13 privkey.pem -> ../../archive/fortuna.teleinteractive.net/privkey23.pem

Yes, I know that I should migrate from Server, and it’s long overdue. I would truly appreciate any help from the community to tide us over until I can do so. As far as I can tell, I am using the fullchain.pem to create the P12 cert, so all the other topics here that recommend the fullchain don’t help. Please let me know what I am missing, or what I can try. Thank you.

webprofusion · September 30, 2021, 3:22am

Your served chain looks good to me:
openssl s_client -showcerts -connect fortunata.teleinteractive.net:443 -servername fortunata.teleinteractive.net

Have you tried a reboot of your clients?

TIAnetEncrypt · September 30, 2021, 3:32am

No, but I just rebooted the server, based on your suggestion. It has only been 25 years since I last worked as a sysadmin — I shouldn’t have forgotten such a simple thing /sigh The iOS clients are receiving email now. I will check the others. Thank you so very much for your quick response.

webprofusion · September 30, 2021, 3:42am

Good to know, I didn't think a server reboot would matter for Linux (it does on Windows).

rg305 · September 30, 2021, 4:04am

Neither one looks perfect to me:

---
Certificate chain
 0 s:/CN=fortunata.teleinteractive.net
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/CN=fortunata.teleinteractive.net
   i:/C=US/O=Let's Encrypt/CN=R3
 2 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 3 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
 4 s:/O=Digital Signature Trust Co./CN=DST Root CA X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

Both show the same output:

openssl s_client -connect fortuna.teleinteractive.net:443 -servername fortuna.teleinteractive.net
openssl s_client -connect fortunata.teleinteractive.net:443 -servername fortunata.teleinteractive.net

Lines ZERO and ONE are duplicates.
Line FOUR is a root and should never be sent.

rg305 · September 30, 2021, 4:06am

This might be prt of that problem:

TIAnetEncrypt · September 30, 2021, 5:15am

Thank you for your help. I am not sure that I understand the problem with that line from the script. Is the information in the cert file duplicating the information in the fullchain file, thus causing the duplication of line 0 into line 1 and exposing the root in line 4? Would you have any recommendations on how to change that line of the script, or resources that I might research to fix it? Thank you again.

rg305 · September 30, 2021, 5:20am

The fullchain.pem file contains cert.pem.
Using them both would then include cert.pem twice.

Here, let me draw it out:
cert.pem = CERT
fullchain.pem = CERT + CHAIN
cert.pem & fullchain.pem = CERT & CERT + CHAIN

rg305 · September 30, 2021, 5:27am

I don't know what is required or what can be skipped in that script, so I can't be 100% certain.
That said, the most obvious choice is to NOT use fullchain.pem and instead use chain.pem
[a file that is hardly ever used - even I had to look at the contents to make sure it does what it says]

TIAnetEncrypt · September 30, 2021, 5:28am

I see. openSSL is not an area that I understand well. The script came from the Let’sEncrypt community and I have been using it for years. Should that line of the script be changed to:


# Transform the pem files into a OS X Valid p12 file - UNCOMMENT THE NEXT LINE AFTER THE TEST RUN WORKED
sudo openssl pkcs12 -export -inkey "${PEM_FOLDER}privkey.pem" -in "${PEM_FOLDER}cert.pem" -certfile "${PEM_FOLDER}chain.pem" -out "${PEM_FOLDER}letsencrypt_sslcert.p12" -passout pass:$PASS

That is, simply replace the fullchain.pem with chain.pem? Thank you for your patience.

rg305 · September 30, 2021, 5:29am

That would seem to do the trick on the ZERO and ONE duplication.
The jury is still out on the FOUR problem...
[but that is likely not that problematic; as no one accepts roots from web servers anyway]

Let's make that one fix and see how things look.
Like via SSL Labs [they do a really good job]

TIAnetEncrypt · September 30, 2021, 5:31am

Then we shall see. Thank you again for your help and insight. Be well.

rg305 · September 30, 2021, 5:33am

Glad to be of service
Cheers from Miami

#FreeCUBA

system · October 30, 2021, 5:33am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.