Not trusted from some ISP networks

Help
1

Hi, hope you can help since I am pretty lost and my current situation is very problematic for my small semiprofessional business.

Here some infos:

$$$
My domain is:
www.lechner.eu.com

I ran this command:
using "Certify The Web" to create certificates

It produced this output:
successful certificate creation.
seems to be also successfully installed on my server.

My web server is (include version):
Apache HTTP Server 2.4.51

The operating system my web server runs on is (include version):
Windows Server 2022 Standard (21H2)

My hosting provider, if applicable, is:
private ISP with own server

I can login to a root shell on my machine (yes or no, or I don't know):
full control

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no, just apache and direct access to the machine

The version of my client is:
Certify The Web (Certify SSL/TLS Certificate Manager 5.6.8.0)
$$$

As witten, I am using an old apache server and have found a configuration and setup where I create the Let's encrypt certificates with Certify The Web app and then use the apache httpd-vhosts.conf file to load them.
I thougt everything is fine since it is working for me and some of my friends quite good. Now I noticed that the website is considered to be not trustworthy from some other coperate networks, where I dont have permanent access to.
The error I received was: NET::ERR_CERT_AUTHORITY_INVALID
I tried to reproduce the problem on other machines or ISPs but I failed. Now I also fround https://www.digicert.com/help/ where a kind of certificate tester ist available.
There I receive the following output:
TLS Certificate is not trusted
and so on.

Is it, that Let's Encrypt certificates are generally not trusted for some companies in there setups?
Do I need to buy a certificate instead?
Is my configuration incorrect?
problem with certificate?
problem with my server config?
btw, I am using multiple subdomanains in the same certificate but for now it does not seem to me that this is a problem.

Really hope someone can help.
Thanks.

2

Your server isn't sending any intermediate certificate. You should configure a SSLCertificateChain directive SSLCertificateFile in your Apache configuration to use the full chain. That said, no clue where Certify The Web saves its fullchain.

3 Likes
3

It's possible that in a corporate environment, the Let's Encrypt root certificate could be removed as a matter of domain policy. More likely is that they'd be using a traffic-inspecting firewall that injects its own cert into the mix. It'd be worth, in one of those environments, taking a look at the cert that's being served to see if it's actually yours.

Another issue that's going on is that you haven't configured your server to serve the intermediate CA cert. I don't know how you'd do that with Certify The Web and Apache.

If you want to do a more detailed test from a given network, testssl.sh is a useful tool:

4 Likes
4

Thanks for your replies.

Here is how I typically configure my Apache VirtualHosts:

<VirtualHost *:443>
ServerName www.lechner.eu.com

DocumentRoot "W:/www/le"

SSLEngine on
SSLCertificateFile "conf/ssl/lechner.eu.com/certificate.crt"
SSLCertificateKeyFile "conf/ssl/lechner.eu.com/private.key"

<Directory "W:/www/le">
    Options All
    AllowOverride All
    Require all granted  
</Directory>

I am not sure what is meant with SSLCertificateChain... -_-
Do I need to configure something additional?

1 Like
5

Yes, but it isn't SSLCertificateChainFile--that became obsolete with Apache 2.4.8. What you need to do is set SSLCertificateFile to point to a file that includes both your cert and the intermediate cert(s). From certbot and most Unix-y clients, that file is usually called something like fullchain.pem. You'll need to check the docs for CertifyTheWeb to see what that client does with that file.

5 Likes
6

Whoops, true, I thought it was an older Apache, didn't look closely enough. I just read "old apache server" in OP :stuck_out_tongue:

3 Likes
7

Cool, thanks.

I have the following files:

ca_bundle.crt
certificate.crt
private.key

I already have the line with SSLCertificateFile

SSLEngine on
SSLCertificateFile "conf/ssl/lechner.eu.com/certificate.crt"
SSLCertificateKeyFile "conf/ssl/lechner.eu.com/private.key"

Do I have to change the file to the ca_bundle.crt file?

1 Like
8

It depends: is ca_bundle.crt just the chain? Or does it include the end leaf certificate too? Please refer to the Certify The Web documentation or check for yourself.

3 Likes
9

certificate.crt contains just one section with

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

The ca_bundle.crt contains two sections. Does this help?

10

Not really, could either be the end leaf cert with the short chain or just the long chain without the end leaf certificate.

4 Likes
11

2022-10-28 10:19:47.680 +02:00 [INF] Deploy to Apache:: exporting PEM format certificate file
2022-10-28 10:19:47.914 +02:00 [INF] Deploy to Apache: Copying file (Windows file copy) to C:\xampp\apache\conf\ssl\lechner.eu.com\certificate.crt
2022-10-28 10:19:47.918 +02:00 [INF] File Copy completed: C:\xampp\apache\conf\ssl\lechner.eu.com\certificate.crt
2022-10-28 10:19:47.918 +02:00 [INF] Deploy to Apache:: exporting PEM format key file
2022-10-28 10:19:47.960 +02:00 [INF] Deploy to Apache: Copying file (Windows file copy) to C:\xampp\apache\conf\ssl\lechner.eu.com\private.key
2022-10-28 10:19:47.960 +02:00 [INF] File Copy completed: C:\xampp\apache\conf\ssl\lechner.eu.com\private.key
2022-10-28 10:19:47.960 +02:00 [INF] Deploy to Apache:: exporting PEM format chain file
2022-10-28 10:19:47.969 +02:00 [INF] Deploy to Apache: Copying file (Windows file copy) to C:\xampp\apache\conf\ssl\lechner.eu.com\ca_bundle.crt
2022-10-28 10:19:47.969 +02:00 [INF] File Copy completed: C:\xampp\apache\conf\ssl\lechner.eu.com\ca_bundle.crt
2022-10-28 10:19:47.969 +02:00 [INF] Deploy to Apache :: Task Completed OK

what about this?
here the ca_bundle.crt file is called "PEM format chain file". so is this one the correct to be used?

12

Sounds like it's just the chain. Please refer to the Certify The Web documentation to see if and how you can get a single file containing both the end leaf certificate and the chain.

4 Likes
13

@webprofusion your client question thread here

5 Likes
14

I think I have managed to create a full chain file.
Now it has 3 certificate sections included.
So this full chain file shall be used with the
SSLCertificateFile
statement, correct?

15

If the full chain file is correct then yes, correct.

3 Likes
16

Do you know what's in that file? Or is it just three certificate blocks with contents unknown to you? If the latter, stop, and ascertain what's there. A Google for ssl cert decoder will find you several online ways to determine this.

The cert file should contain the leaf cert (the cert for your server) and any intermediate CA certs, but not the root cert.

4 Likes
17

Hi, there is a fullchain option in the Apache export task [which include your cert and all the intermediates], which you will want to use ( the chain option is similar but only includes the intermediates, not your "leaf" certificate). You should also consider if you want the legacy chain (the default) or ISRG Root X1.

If you want the modern chain, in your managed certificate settings go to Certificate - Advanced - Certificate Authority and set the preferred chain to ISRG Root X1 then click Request Certificate again.

5 Likes
18

You might want to mention that at Deployment Tasks | Certify The Web Docs and/or Certificates | Certify The Web Docs.

4 Likes
19

Thanks! I actually contracted a freelance dev to revise all of our documentation but it turns out certificates are really boring so I'll have to do it myself :slight_smile:

5 Likes
20

Hmmm...
I tried the fullchain option and replaced the certificates.

Apache now does not start.

Not sure what's going on.