My domain is: lukeuhren.com … https://aspen.lukeuhren.com … site is not up 247 as this is a test to try and resolve this issue right now
I ran this command:
Recently I've created a powershell script using POSH-ACME to generate, export and import my certificates into an Azure Application Gateway load balancer. The issue I have is odd with testing the SSL Cert chain on say https://www.ssllabs.com/. It said it didn't have incorrect order, then I generated a new one and then that site said it did and contains anchor. The main issue here is, that all the other sites to test SSL Certs say there is no chain issues and its 100% fine. Sites like SSL Checker , SSL Certificate Checker - Diagnostic Tool | DigiCert.com , Check SSL Certificate and https://www.thesslstore.com/ssltools/ssl-checker.php. I find it odd that all other sites show fine and ssllabs doesn't, so for some reason that doesn't sit right with me. Is ssllabs really the only one catching this?
If there is a chain issue and contains anchor, how do I avoid this? I can explain EXACTLY what I am doing as well.
I am issuing a wildcard for a specific domain that is personal for testing
$certname = ".lukeuhren.com", "lukeuhren.com"
$certsubject = ".lukeuhren.com"
$RootCertName = "R3"
Install-Module -Name Posh-ACME -AllowClobber -Force
Set-PAServer LE_PROD
Set-PAAccount -Contact user@gmail.com -Force
#issue cert
New-PACertificate $certname -AcceptTOS -Contact user@gmail.com -DnsPlugin AcmeDns -PluginArgs @{ACMEServer='auth.acme-dns.io'} -Verbose -Install -Force
#get cert data
$certdata = Get-ChildItem -Recurse -Path Cert:\LocalMachine\My | ?{ $.Subject -Like "CN=$certsubject" -and $.Issuer -Like "CN=$RootCertName*" -and $_.NotBefore -le (get-date).AddHours(1)}
#export cert
certutil -p $certpassword -f -exportPFX My $certdata.Thumbprint c:\Scripts\wildcard.pfx
I can export other ways as well and there is no difference.. there is also a fullchain.pfx getting the location from Get-PACertificate | fl and still would say chain issues on ssllabs
#cert.cer (Base64 encoded PEM certificate)
#cert.key (Base64 encoded PEM private key)
#cert.pfx (PKCS12 container with cert+key)
#chain.cer (Base64 encoded PEM with the issuing CA chain)
#chainX.cer (Base64 encoded PEM with alternate issuing CA chains)
#fullchain.cer (Base64 encoded PEM with cert+chain)
#fullchain.pfx (PKCS12 container with cert+key+chain)
What would someone suggest command wise to export out if this is showing incorrect order and contains anchor on ssllabs? I am a bit confused why this is having an issue with how I am going about it
It produced this output:
Chain issues Incorrect order, Contains anchor
My web server is (include version):
Azure Application Gateway v2/Server 2012R2 IIS 8.5
The operating system my web server runs on is (include version):
Azure Application Gateway v2/Server 2012R2 IIS 8.5
My hosting provider, if applicable, is:
Microsoft Azure
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Right now this is just testing the SSL cert on Azure Application Gateway Load balancer. I have full control over it