Root Certificate miising

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:www.quintic.co.uk

I ran this command:

It produced this output:

My web server is (include version):Apache2 v2.4.10

The operating system my web server runs on is (include version):Raspbian Version 8

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot-auto 0.34.2

Question:
I have installed the letsEncrypt Certificate and the Apache2 config file has been updated with the following lines:
SSLCertificateFile /xxxx/fullchain.pem
SSLCdertificateKeyFile /xxx/privkey.pem

and the site does operate https.
However when I check the site using https://www.sslchecker.com/sslchecker it reports that I am missing a root certificate.

Could you let me know what I have missed pleased.

Thanks.

SteveD

The root certificate should be missing. The idea behind root certificates is, is that the client has all the valid root certificates stored in its “root certificate store”. It is useless to also send this root certificate with the TLS connection. In fact, it would only slow it down.

So I don’t know why that SSL checker marks it as “red”, like it was wrong. It isn’t.

2 Likes

Hi @steved430

that

looks like a bug in sslchecker.

Checked your domain the main things are ok - https://check-your-website.server-daten.de/?q=quintic.co.uk

Your four connections are working, three redirects, one http status 200:

Domainname Http-Status redirect Sec. G
• http://quintic.co.uk/
81.133.68.111 301 https://quintic.co.uk/ 0.080 A
• http://www.quintic.co.uk/
81.133.68.111 301 https://www.quintic.co.uk/ 0.077 A
• https://quintic.co.uk/
81.133.68.111 301 https://www.quintic.co.uk/ 3.437 B
• https://www.quintic.co.uk/
81.133.68.111 200 2.354 I

Your certificate has both domain names:

CN=www.quintic.co.uk
	28.05.2019
	26.08.2019
expires in 88 days	
quintic.co.uk, quintic.uk, 
www.quintic.co.uk, www.quintic.uk - 4 entries

and your chain is correct:

Chain (complete)	
	1	CN=www.quintic.co.uk
	2	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US

My site has the same error checking sslchecker, looks like a problem of that tool.

Never send a root certificate. The client selects, which root certificates are used.

1 Like

Oh - what's that?

Thought, Sslchecker has reorganized the own page, there are a lot of places with filler text (Lorem ipsum dolores ...).

But searching there is an older thread (2017-03-21).

With exact the same problem and the same screenshot I see now.

So the tool doesn't really work.

1 Like

Many thanks Juergen.

Good to know that everything is operating correctly. I had read the documentation on the Let’s Encrypt web site regarding Root Certificates, and whilst I cannot say I fully understood everything, I did take in that I should not need to install a Root certificate which is why I could not understand why sslchecker was reporting an issue.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.