Not trusted from some ISP networks

Ok,

For future reference there is a support forum dedicated to Certify here: https://community.certifytheweb.com/

If Apache is failing to start after only changing the certificate file then clearly the file you are pointing to is now wrong. Please provide a screenshot of the Task Parameters settings in your Deploy to Apache task settings and confirm which files you are currently referring to in your Apache config and using which directives.

5 Likes

Here's an example of settings I'd expect to work:

image

4 Likes

Yeah you are right, it is definately the certificate file that brakes my config and apache is not working any more.

I create 4 files with Certify The Web:

ca_bundle.crt
certificate.crt
full_chain.crt
private.key

All files are deployed from Certify The Web with the "Deploy to Apache" Task.

That's my original Apache VirtualHost that basically starts and works on most of the machines:

<VirtualHost *:443>
ServerName www.lechner.eu.com

# All other requests go to http
DocumentRoot "W:/www/le"

SSLEngine on
SSLCertificateFile "conf/ssl/lechner.eu.com/certificate.crt"
SSLCertificateKeyFile "conf/ssl/lechner.eu.com/private.key"

<Directory "W:/www/le">
    Options All
    AllowOverride All
    Require all granted  
</Directory>

That's the new version where apache stops working:

<VirtualHost *:443>
ServerName www.lechner.eu.com

# All other requests go to http
DocumentRoot "W:/www/le"

SSLEngine on
SSLCertificateFile "conf/ssl/lechner.eu.com/full_chain.crt"
SSLCertificateKeyFile "conf/ssl/lechner.eu.com/private.key"

<Directory "W:/www/le">
    Options All
    AllowOverride All
    Require all granted  
</Directory>

Basic troubleshooting 101: what does the log say?

In this case: Apaches log.

3 Likes

Interresting,

I think I have changed my setup to this but now apache won't start.

Also thought like this.

No new entrys in the apache log.

Either it crashes before the log is handled or I don't know what's going on...

image

Thanks, your Certify settings look ok so you would have to find a way to get more diagnostic information from Apache, meanwhile you can revert to your main certificate file as you had previously. You can email support {at} certifytheweb.com if you wish to discuss/debug any technical aspects in private. We're in Australia, so it's likely our timezones don't match up but happy to answer questions over the weekend.

Note that you can also use the Export Certificate tasks for more fine-grained export of certificate components and you just need to save the managed certificate settings and click Play next to the task (you don't need to re-request the cert each time).

[Just double check that the output files do exist and if so, open them up and have a look, your fullchain file will have multiple certificate sections and the first one will be your primary/lead certificate and the others are intermediates etc - you can use Report URI: PEM Decoder to check]

4 Likes

Thanks.

I have no plan but at least it seems that it was common opinion that I had the wrong file configured...

I tried the ReportURI tool on the 3 fragments of the fullchain file:

cert 1:
Common Name: lechner.eu.com
Issued By: Let's Encrypt
Issuing Certificate: R3
Serial Number: 03C780BB642B55424C0A71276CB350B08AAB
Signature: sha256WithRSAEncryption
Valid From: 09:46:18 28 Oct 2022
Valid To: 09:46:17 26 Jan 2023
Key Usage: Digital Signature, Key Encipherment
...

cert 2:
Common Name: R3
Issued By: Internet Security Research Group
Issuing Certificate: ISRG Root X1
Serial Number: 912B084ACF0C18A753F6D62E25A75F5A
Signature: sha256WithRSAEncryption
Valid From: 00:00:00 04 Sep 2020
Valid To: 16:00:00 15 Sep 2025
Key Usage: Digital Signature, Certificate Sign, CRL Sign
Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication
Basic Constraints: CA:TRUE, pathlen:0

cert 3:
Common Name: ISRG Root X1
Issued By: Internet Security Research Group
Issuing Certificate: ISRG Root X1
Serial Number: 8210CFB0D240E3594463E0BB63828B00
Signature: sha256WithRSAEncryption
Valid From: 11:04:38 04 Jun 2015
Valid To: 11:04:38 04 Jun 2035
Key Usage: Certificate Sign, CRL Sign
Basic Constraints: CA:TRUE

no idea what all this means.
Can you say if the full_chain.crt is generated correctly?

1 Like

While not as powerful as testssl.sh, in my opinion, it is fast and an additional tool that is useful.
SSLyze SSLyze — SSLyze 5.2.0 documentation
GitHub - nabla-c0d3/sslyze: Fast and powerful SSL/TLS scanning library.

1 Like

"cert 3:" is not supposed to be included; As root certs should never be sent by a server relying on them.

4 Likes

@rg305 that's a good reminder, fixing that quirk is a potentially breaking change that we're reserving for our next major release. Some folks rely on it for various proprietary and less common server types, we also offer an alternative Export Certificate task which has many options for which things to include in which bundle.

4 Likes

Thank you for this finding.

I am still confused.

Is this root cert thing a real problem that may lead to the crash in Apache?
Or is this just an unclean thing that should be solved in the future?

Is it possible to just remove the third cert and then test it again?

I have read all the documentation from Certify the Web and Apache but have to admit that I am still lost.
I am also curious if this really could be a cause for my original problem. Again, it already seems to work on some machines/ISPs but on other coperate networks it was considered to be insecure. Could this be the cause of this the the certificate file is incomplete?

Thanks a lot for your help. I really hope that I can close this topic soon. -_-

1 Like

Thanks a lot, also to you webprofusion!

Could you please assist me how to configure the certificate create manually that Apache receives it in a clean way?

I fround the "Deploy to Certificate" task and there are multiple options:

image

Which one do I need for the SSLCertificateFile and SSLCertificateKeyFile?

Yes.
I would try that first.

3 Likes

Just tried...
Apache still not starting, even if I remove the last root cert.

I think I am now one step further:

This is my Apache config now:

SSLEngine on
SSLCertificateFile "conf/ssl/lechner.eu.com/certificate.crt"
SSLCertificateKeyFile "conf/ssl/lechner.eu.com/private.key"
SSLCertificateChainFile "conf/ssl/lechner.eu.com/full_chain.crt"

This results in the following output:

Not sure what the red link symbol means but at least the Apache server starts again and the SSL checker tool at https://www.digicert.com/help/ now likes the TLS certificate.

I will be able to test this again on the other networks in the next days.

SSLCertificateChainFile is deprecated and shouldn't be used. And now you're sending the end leaf cert twice.

3 Likes

Mhm... you mentioned this above.

However it seems to work now isn't it?

I still don't get it how the correct configuration should look like.

Didn't I answer this like 30 posts ago? The correct configuration is to have SSLCertificateFile point to a single file that includes your leaf cert plus any intermediate certs, but not the root cert. If that's confusing or unclear, I'd like to know how, because it seems really clear to me.

6 Likes