Since end of September: Mac devices show cert problem on my domain, but not other lets'encrypt encrypted domains

Hi,

Mac devices (iphone etc.) show cert problem as a new problem after years of functioning perfectly since end of September on my domain, but not on other lets'encrypt encrypted domains.

I know the root cert was exchanged, so I compared the cert of https://shop.bbc.com/ with mine https://support.webboard.org and found out there is not much difference, my public cert is even the doubled bit size.

My domain is: https://support.webboard.org

Why are these errors only on my page when visiting with apple devices but not on other domains using letsencrypt? I already issued a new cert but it doesn't help.

@Reinhard Welcome to the community!

Your site is serving the "short chain". The shop.bbc.com is serving the "long chain". You must have chosen the alternate chain to do that.

Yours:

Certificate chain
 0 s:/CN=webforum.eu
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

(Note: The domain you listed shows in the SAN list)

Compare to:

Certificate chain
 0 s:/CN=shop.bbc.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Here is a good topic for this:

2 Likes

@Reinhard Oops. I take that back. You are not serving the "short chain" - you are serving an odd mix.

What server are you using and what are your conf lines for the cert and chain?

4 Likes

@Reinhard Oh gosh, this is a bit much for me.

You have nginx responding to http requests which issues a redirect to Apache for https port 443. The Apache cert definitions have the old style ChainFile. And, the acme client is LE32 which I am not familiar with. Apache and LE32 running on Windows and nginx on Ubuntu (per its server header anyway).

Hopefully someone else with more experience in these areas can give instruction. Sorry

2 Likes

@Reinhard While waiting for someone else to assist you might have some luck with the LE32/64 github - in case you were not aware of it.

You ultimately want a chain that looks like the bbc site you showed. Use a site like this one to view the cert chain you actually send.
https://www.sslshopper.com/ssl-checker.html

2 Likes

Please show the entire output of:
dir "C:/Programme/Apache Group/Apache2/conf/ssl.crt/CA.crt"

And the version number shown, when:
"C:\Programme\Apache Group\Apache2\conf\le\le32.exe"

1 Like

For http requests, true, there is an nginx reverse proxy in place, but for https apache is answering directly.

LE32 is the newest 0.38.0.0 which I updated before issuing a new cert.

SIze of "C:/Programme/Apache Group/Apache2/conf/ssl.crt/CA.crt" is 1,63 KB (1.676 Bytes).

-----BEGIN CERTIFICATE-----
bliblablub (can send that per mail)
-----END CERTIFICATE-----

Why shows
https://www.sslshopper.com/ssl-checker.html#hostname=https://support.freeboard.at
a link to the ancient Let's Encrypt Authority X3 cert, while
https://www.sslshopper.com/ssl-checker.html#hostname=https://shop.bbc.com/
doesn't?

In chrome, the cert paths are shown as the same.

Regards

Please show:

2 Likes

Oh that's the old X3 one...

-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

How can I just replace that?
I removed SSLCertificateChainFile from htaccess and now it seems to be better.

But I got another error on SSL Checker

|### The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.|

LE32 is the newest 0.38.0.0 which I updated before issuing a new cert.

-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

Thats the old X3, I removed in htaccess:
SSLCertificateChainFile "C:/Programme/Apache Group/Apache2/conf/ssl.crt/CA.crt"
leading to
https://www.sslshopper.com/ssl-checker.html#hostname=https://support.freeboard.at
another error

Should I replace CertificateChainFile with another?

Yes, your ACME client should output a chain file you can use that should include at least the R3 intermediate (so that mac os clients don't have to guess the R3).

I'm not familiar with Crypt-LE but typical output of an ACME client for use with Apache will be :

  • A single certificate (this is your own certificate)
  • A set of one or more intermediate certificates (sometime called CA, or chain)
  • a "full chain" - including your cert, all the intermediates and possibly the root.

From looking at their docs I can't see how you get the full chain or CA chain to update but basically you CA.crt is out of date and should at least be a copy of this file : https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem

I'd suggest looking at other ACME clients long term. Windows options which can output files suitable for Apache include Certbot, Certify The Web and win-acme

3 Likes

Because browsers see the cert chain from your server but then make their own and show you what they did. They do this to adapt to poorly configured servers and other reasons. It depends on the browser, its version, and the system state as to how well this works. Not all browsers do it the same. Confusing I know.

You must use something like openssl or websites like sslshopper to see the chain your server actually sends.

2 Likes

Now I put as intermediate CA.crt -> https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem

Result:
https://www.sslshopper.com/ssl-checker.html#hostname=https://support.freeboard.at

|### One of the root or intermediate certificates has expired (28 days ago).|

Common name: R3
Organization: Let's Encrypt
Location: US
Valid from October 7, 2020 to September 29, 2021
Serial Number: 400175048314a4c8218c84a90c16cddf
Signature Algorithm: sha256WithRSAEncryption
Issuer: DST Root CA X3

Why is that the old one?

Because that is the old one - it expired last month.
Only choose intermediates from the "Active" section.

1 Like

@rg305 LE could have been clearer when updating the chain page. Instead of moving that cross-sign to the Retired section they left it in the Active section with a notation of retired after.

@Reinhard Rudy is right though, it is retired so use an active one.

IdenTrust has cross-signed our RSA intermediates for additional compatibility.

Active
   Let’s Encrypt R3 (RSA 2048, O = Let's Encrypt, CN = R3)
        Signed by ISRG Root X1: der, pem, txt
        Cross-signed by IdenTrust: der, pem, txt (Retired)
1 Like

OMG you are right!
That page needs some "love":
image

2 Likes

Now it looks quite well thank you.

Do you have some optimization hints for my ssl config in apache's htaccess?

e.g.
SSLCipherSuite ALL:!ADH:!DH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

Regards

2 Likes

I don't but Mozilla does:
https://ssl-config.mozilla.org

3 Likes

What I still wonder, my server.crt holds all 3 certificates (server, intermediate, root) since this is what my LE client fetches at update times. So why do I explicitly have to state an intermediate cert in my apache's htaccess? I tried it without, but it won't work.

Trying to understand that because I still have trouble with hMailServer where intermediate certificates cannot be configured explicitly and the full chain prodvided in the server.crt (3 cert in 1) fails at iphone mail client.

Regards

That sounds unlikely, if not near impossible.

Try removing the last (cross-signed root) cert from the file with those three certs.

1 Like