Or just call it a day and use another ACME client that can.
2 Likes
Does this look right?
# openssl verify -verbose -show_chain -CAfile /etc/letsencrypt/live/algasol.com/chain.pem /etc/letsencrypt/live/algasol.com/cert.pem
/etc/letsencrypt/live/algasol.com/cert.pem: OK
Chain:
depth=0: CN = *.algasol.com (untrusted)
depth=1: C = US, O = Let's Encrypt, CN = R3
depth=2: C = US, O = Internet Security Research Group, CN = ISRG Root X1
This is the command I ran (after some confusion and work trying to figure out exactly what string to pass to the --preferred-chain parameter):
docker run -it --rm --name certbot \ -v "/root/.linode_api:/root/.linode_api" \ -v "/etc/letsencrypt:/etc/letsencrypt" \ -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \ -v "/var/log:/var/log" \ -v "/etc/letsencrypt/renewal-hooks/deploy" \ certbot/dns-linode renew --force-renewal --preferred-chain "ISRG Root X1"
But I'm still getting a broken chain diagnostic from "SSL Checker" after having deployed via the virtualmin install-cert command and restarting apache
1 Like
That's because the webserver for algasol.com is still only serving the leaf certificate (and no intermediate certificates):
https://decoder.link/sslchecker/algasol.com/443
You need to fix your Apache configuration to actually serve the intermediate certificates.
1 Like
OK, I went in and manually over-rode the virtualmin install-cert operation in the apache2 configuration for algasol.com:
#SSLCACertificateFile /home/algasol/ssl.ca
SSLCACertificateFile /etc/letsencrypt/live/algasol.com/chain.pem
So web access works now.
I'll have to do the same for dovecot etc. as well apparently.
1 Like
Looking better. I'm not seeing the second intermediate certificate (ISRG Root X1) though, probably because of this:
It all depends upon which chain you want:
IPv4 and IPv6 are not identical:
openssl s_client -connect algasol.com:443 -servername algasol.com -4 | head
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = *.algasol.com
verify return:1
CONNECTED(00000005)
---
Certificate chain
0 s:CN = *.algasol.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
openssl s_client -connect algasol.com:443 -servername algasol.com -6 | head
140715871445440:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:
CONNECTED(00000005)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 313 bytes
Verification: OK
---
IPv6 fails 
1 Like
That's a great observation @rg305. I suspect that this may further indicate Apache configuration issues. Maybe incorrectly using IP:80 in the VirtualHosts instead of *:80 ?
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.