Poorly constructed certificate chain

I was attempting to use the https://www.hardenize.com/ site to validate my apache24 server on a FreeBSD 12 machine. Unfortunately, it is reporting a problem. I have the certificates installed as follows:

SSLCertificateFile "/usr/local/etc/letsencrypt/live/seibercom.net/cert.pem"
SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/seibercom.net/privkey.pem"
SSLCertificateChainFile "/usr/local/etc/letsencrypt/live/seibercom.net/fullchain.pem"

I have attached a screen shot of the output from "https://www.hardenize.com/"

This is what they claim is the problem:

Poorly constructed certificate chain This server is not configured with a correct certificate chain. The possible problems include missing certificates, incorrect certificate order, or unrelated certificates present in the chain. In a correct chain, one certificate is immediately followed by its parent. The final, root, certificate can be omitted. This problem is often difficult to troubleshoot because some clients know how to reconstruct a chain starting with the leaf. Although this behavior is common in browsers, it cannot be relied upon in a general case.

--
Gerard

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatechainfile

SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.

You've got both SSLCertificateChainFile and SSLCertificateFile. You should provide just the latter, and change it to fullchain.pem:

SSLCertificateFile “/usr/local/etc/letsencrypt/live/seibercom.net/cert.pem”
SSLCertificateKeyFile “/usr/local/etc/letsencrypt/live/seibercom.net/privkey.pem”

For other users reading this thread: @Gerard has Apache version 2.4.39 running according to his HTTP “Server” header. :stuck_out_tongue: Indeed, ≥2.4.8, so @jsha is dead on correct.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.