Root CA Certificate could not be located, setup ssl on windows

Hello

how do you formatted pem that generated by certbot in vhost.conf (windows apache)

I used command as follow to generate SSL


certbot certonly --webroot -w C:\\www\web1 -d www.domain.com -d domain.com -d ftp.domain.com -d mail.domain.com

I have 4 file ...cert1.pem,chain1.pem,fullchain1.pem,privkey1.pem

in my vhost.conf I setup generated file as follow

	SSLEngine on
SSLCertificateFile "C:/certificate/web1/cert1.pem"
SSLCertificateKeyFile "C:/certificate/web1/privkey1.pem"
SSLCACertificateFile "C:/certificate/web1/chain1.pem"
SSLCertificateChainFile "C:/certificate/web1/fullchain1.pem"

but when I test with online SSL checker , this is my result

### Certificate Chain Complete?

A valid Root CA Certificate could not be located, the certificate will likely display browser warnings.

![Illo certificate](https://www.geocerts.com/assets/illo-certificate-d15d1fe019c17184657749a12f4549f5744c4e9abda2a193afcb1c59529ba2cd.svg)

**Common Name:**ISRG Root X1

**Organization:** Internet Security Research Group

**Valid:** January 20, 2021 to September 30, 2024

**Issuer:** DST Root CA X3

and sslabs result failed at SNI section, can someone point me where my mistake are?

thank you

1 Like

I could be wrong but I think you set the SSLCertificateFile to fullchain.pem and set the key file one, then you can possibly skip the others.

Note that your server will not serve the root ca cert (and probably shouldn't), so check with a reputable scanner like Qualsys ssl checker

2 Likes

Yes, we can help but we can give better advice if you answer the form questions as best you can. Thanks

=================================

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

My apache version is:

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of certbot (show certbot --version):

3 Likes

That is generally NOT a mistake at all.
[unless you have a dedicated IP and also use that IP with some extremely old clients]

SNI allows for many sites to be hosted from one single IP.
When a request comes in without a specific host name, it is handled by the default handler [which usually also covers those direct IP requests].

In short: No modern web client would ever need to deal with that default SNI handler.

4 Likes

ok ..my bad

domain: https://ruslanproperty.com
Certbot version: certbot 1.24.0
apache version :Server version: Apache/2.4.51 (Win64)
Apache Lounge VS16 Server built: Oct 7 2021 16:27:02
operating system: windows 10, single ip

1 Like

so edited configuration as follow?

1 Like

Yes, looks ok to me but you obviously just need to restart your apache and see if it works.

2 Likes

Qualys/ssllabs testing result only gave me B ..is it possible to have A score using certbot?

You used certbot options which just got certs. It is up to you to configure your server. This site provides good guidelines

Had you used the certbot apache plug-in as the installer it would have configured your system so that it did not allow TLS v1.0 and v1.1 and would have gotten an A score. There is nothing wrong with configuring it yourself. You just have to do it.

5 Likes

thank you mike

2 Likes

Certbot normally creates a /live/ folder with symlinks to the latest cert it received. It is best if you reference those symlinks rather than the actual cert files.

The next time certbot gets certs it will name them xxxx2.pem, then xxxx3.pem and so forth always updating the symlink to point to the latest.

You should use the symlink name to avoid having to update your server config each cert renewal.

4 Likes

yup ..there's a shortcut (windows) or symlink
this is my first time setting up my own SSL ..thank you for SSL generator

I think i have the general ideas now ..thank you, everyone

2 Likes