I did, but was immediately corrected as I made a mistake 
I'll edit my post for more clarity.
For now, until Apache drops the directive in a new release (as it's deprecated).
3 Likes
Sorry, my last post was not clear.
You all are right and you totally clarified that only SSLCertificateFile should be used and it should contain "leaf cert" + "intermediate certs" but not the root.
That was clear to me however it seems that I am still doing something wrong and Apache isn't starting for me in that configuration.
I have now two configurations where Apache does not crash:
1.) using just the leaf cert:
SSLEngine on
SSLCertificateFile "conf/ssl/lechner.eu.com/certificate.crt"
SSLCertificateKeyFile "conf/ssl/lechner.eu.com/private.key"
results in errors with the SSL certificate checker.
2.) adding the Chain File:
SSLEngine on
SSLCertificateFile "conf/ssl/lechner.eu.com/certificate.crt"
SSLCertificateKeyFile "conf/ssl/lechner.eu.com/private.key"
SSLCertificateChainFile "conf/ssl/lechner.eu.com/full_chain.crt"
seems to be much better regarding SSL certificate checker.
but sends the leaf cert twice.
So I have tried the theoretic correct config but the Apache server won't start.
Have tried it with
SSLEngine on
SSLCertificateFile "conf/ssl/lechner.eu.com/full_chain.crt"
SSLCertificateKeyFile "conf/ssl/lechner.eu.com/private.key"
and with
SSLEngine on
SSLCertificateFile "conf/ssl/lechner.eu.com/full_chain_without_root.crt"
SSLCertificateKeyFile "conf/ssl/lechner.eu.com/private.key"
In both Apache won't start.
Here I am now and a little bit lost since the most promissing config seems to be the deprecated 2.)
But still with double leaf.
Thanks for your patience.
1 Like
Hi @Console1820 which exact distribution of Apache for windows are you using (XAMPP, ApacheHause) and I'll try to reproduce this on my own machine. Please send an email to support {at} certifytheweb.com and that will create an official support ticket with us, then we can go back and forward on more detailed diagnostics.
4 Likes
@Console1820 Regarding the various export options:
- for a "clean" Leaf+Intermediates full chain you want the option labelled "PEM - Primary Certficate + Intermediate Certificate Chain (e.g. .crt)". The typo has been fixed since this release
- then add another Export Certificate task to export just the "PEM - Private Key" file.
- You can then run each task to get your certificate components files in the requested formats.
In my own testing I can confirm that Apache starts OK using the default fullchain and key options (regardless of the spare root cert being included in the full chain file or not). Please check your apache logs e.g. /logs/error.log - I was only able to get Apache to refuse to start by intentionally corrupting the certificate PEM file and this resulted in the following error log entry:
[Sun Oct 30 11:50:20.820535 2022] [ssl:emerg] [pid 18640:tid 328] AH02565: Certificate and private key localhost:443:0 from C:/Tools/Apache24/conf/ssl/fullchain.pem and C:/Tools/Apache24/conf/ssl/server.key do not match
AH00016: Configuration Failed
5 Likes
Can you show the crash message?
2 Likes
I think now everything works fine.
Here is what I got:
Regarding your instructions I manually generated the file
"prim_interm.crt"
with the "Deploy to Certificate" task in the configuration
"PEM - Primary Certificate + Intermediate Certificate Chain (e.g. .crt)"
Then I updated my Apache VirtualHost config to:
SSLEngine on
SSLCertificateFile "conf/ssl/lechner.eu.com/prim_interm.crt"
SSLCertificateKeyFile "conf/ssl/lechner.eu.com/private.key"
And that's all...
Thanks a lot to all that were helping.
In the next days there will be also tests from the original network where the issues came from originally but I am confident that the latest fixes may resolved this issue.
3 Likes
Can confirm now that all problems are fixed.
Thanks again for the help.
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.