SSL Certificate Renewal Resulted in Connection Issues with Legacy Devices on Apache2

The sites might complain about the expired root DST Root CA X3 (which is what you want I'm guessing?), but maybe they're complaining about something else.

Without knowing more details about the results of those websites (e.g., the actual chain send by the webserver) or the hostname you're testing it's hard to know.

This is exactly why the questionnaire MANDATES the mentioning of the hostname in question, where I'm assuming demo.com is NOT actually the hostname you want to fix. It's very tedious to have to work with just a little bit of information and have to request more info while it's usually a simple check when we know the actual hostname.

2 Likes

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.pro.curiousfly.com

I ran this command: I have created a letsencrypt certificate and edited the fullchain.pem and add the cross-signature to the bottom

It produced this output:
[ssl:info] [pid 568614:tid 140078613526272] [client 49.47.193.147:65371] AH01998: Connection closed to child 22 with abortive shutdown (server www.pro.curiousfly.com:443)
[ssl:info] [pid 568614:tid 140078605133568] [client 106.222.237.243:13578] AH01964: Connection to child 23 established (server www.pro.curiousfly.com:443)
[ssl:debug] [pid 568614:tid 140078605133568] ssl_engine_kernel.c(2409): [client 106.222.237.243:13578] AH02645: Server name not provided via TLS extension (using default/first virtual host)
[socache_shmcb:debug] [pid 568614:tid 140078605133568] mod_socache_shmcb.c(555): AH00837: socache_shmcb_remove (0xa1 -> subcache 1)
[socache_shmcb:debug] [pid 568614:tid 140078605133568] mod_socache_shmcb.c(570): AH00839: leaving socache_shmcb_remove successfully
[ssl:info] [pid 568614:tid 140078605133568] [client 106.222.237.243:13578] AH02008: SSL library error 1 in handshake (server www.pro.curiousfly.com:443)
[ssl:info] [pid 568614:tid 140078605133568] SSL Library Error: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher -- Too restrictive SSLCipherSuite or using DSA server certificate?

My web server is (include version): AWS EC2

The operating system my web server runs on is (include version): Ubuntu 18

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.10.0

I don't know what you did to your webservers (note that "AWS EC2" is not a webserver software application, you're webserver is "Apache") chain, but it's sending indeed an incomplete chain. It's currently sending:

  • end leaf certificate signed by R3
  • intermediate certificate ISRG Root X1 signed by DST Root CA X3

It's missing the R3 signed by ISRG Root X1 intermediate certificate in between.

4 Likes

Do you want me to share the fullchain.pem for reference?

That's probably a good idea. Although I'm more interested in what you did to get to that fullchain.pem.

2 Likes

May I know how to create the missing intermediate certificate? i have added https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem at bottom of my fullchain.pem. Is there anything else i need to do?

fullchain.pem.txt (5.5 KB)

That fullchain seems to contain the missing intermediate, which is weird.

How is your Apache configured and how did you modify the fullchain.pem on the disk?

1 Like

It's interesting that the fullchain.pem file contains the missing intermediate certificate. Prior to April, everything was working fine, including the SSL configuration. Then I tried to manually renew the certificate using sudo certbot renew

I am guessing you have a hook or other process to modify the fullchain file. And that this modified file is what Apache is using. Some people did that to create a "short chain" from the default "long chain". But, the "short chain" is now the default so trying to modify it can create problems.

What do these commands show?

sudo apache2ctl -t -D DUMP_VHOSTS
sudo certbot certificates

also show contents of the renewal conf file for this domain in this folder

/etc/letsencrypt/renewal
4 Likes

sudo apache2ctl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80 domain (/etc/apache2/sites-enabled/000-default.conf:1)
*:443 domain (/etc/apache2/sites-enabled/000-default.conf:31)

sudo certbot certificates
Renewal configuration file /etc/letsencrypt/renewal/domain.conf produced an unexpected error: fullchain does not match cert + chain for domain!. Skipping.

Can you show contents of that file

3 Likes
# renew_before_expiry = 30 days
version = 2.10.0
archive_dir = /etc/letsencrypt/archive/www.pro.curiousfly.com
cert = /etc/letsencrypt/live/www.pro.curiousfly.com/cert.pem
privkey = /etc/letsencrypt/live/www.pro.curiousfly.com/privkey.pem
chain = /etc/letsencrypt/live/www.pro.curiousfly.com/chain.pem
fullchain = /etc/letsencrypt/live/www.pro.curiousfly.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = ac1d1c36249c1ee488827140789090gh
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa

There is actually a very easy solution to your DST Root CA X3. Certbot has an option to get the alternate chain that includes it. Although, this will only work until Jun6 (just a couple weeks from now). On Jun6 Let's Encrypt will no longer offer this alternate chain. See the article in post #2 of this thread.

But, you modified the file(s) in the Certbot /live/ folders so Certbot no longer works. Please do not modify files in the /etc/letsencrypt/live folders. These are managed by Certbot. If you must modify those make a copy in your own folder and use those.

I can help you get Certbot working again. If you want help with that show this

ls -l /etc/letsencrypt/live/www.pro.curiousfly.com
3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.