SSL Lab Chain Issues Incomplete

many of clients are not able to access my website

My domain is: https://server3.webapp.org.in

My web server is (include version): Tomcat 9

The operating system my web server runs on is (include version): Windows Server 2012

My hosting provider, if applicable, is: Self Hosted VPS Server

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): win-acme.v2.1.18.1119.x64.trimmed

1 Like

Welcome to the Let's Encrypt Community, Ajay :slightly_smiling_face:

I have constructed the certificate chain file that you need. It is R3 signed by ISRG Root X1 and ISRG Root X1 signed by DST Root CA X3.

Download it from here:

chain.pem (3.7 KB)

This discussion provides a great explanation of the modern way:

This official guide provides the directives you need:

http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_Certificate

Pay special attention to:
certificateFile
certificateChainFile
certificateKeyFile
type

If you use certbot:
certificateFile = cert.pem
certificateChainFile = chain.pem
certificateKeyFile = privkey.pem
type = RSA

The win-acme files should map similarly.

2 Likes

You need to use the correct files for your Tomcat configuration, in this case the -chain.pem file and -key.pem: https://www.win-acme.com/reference/plugins/store/pemfiles

If you just use the .crt file you won't be serving the intermediate certificates required for the chain.

3 Likes

Good observation, @webprofusion. I missed the win-acme part. The mapping to the Tomcat settings should still hold though.

3 Likes

Thank you for your answer sir, but above chain.pem file doesn't work for me
Below is my tomcat conf settings







when i am using your chain.pem file i got error (file attach)

when i am using this chain file it works but not for all android mobile/clients
_.webapp.org.in-chain-copy.pem (3.6 KB)

please help
Thanks

1 Like

Thank you for your suggestion sir, below is my tomcat configuration

Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"
           maxThreads="150" SSLEnabled="true" 
    UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" 
    SSLHostConfig
        Certificate certificateKeyFile="confssl_.webapp.org.in-key.pem" 
                     certificateFile="confssl_.webapp.org.in-chain.pem"                        
                     type="RSA" 
    SSLHostConfig
Connector
1 Like

The "no secure protocols supported" has NOTHING to do with your chain file. It is because your Tomcat is configured to support too few cipher suites.

This will help you to properly configure your Tomcat cipher suites:
https://ssl-config.mozilla.org/#server=tomcat&version=9.0.30&config=intermediate&hsts=false&guideline=5.6

2 Likes

Thanks a lot sir, your chain.pem file and below configuration works for me. You are genius.
One more help required, every after three months manually i have to renew my certificates can i make it auto renewal any how?

#SSLHostConfig ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
disableSessionTickets="true"
honorCipherOrder="false"
protocols="TLSv1.2, TLSv1.3"#
#Certificate
certificateFile="conf/ssl/.webapp.org.in-crt.pem"
certificateChainFile="conf/ssl/
.webapp.org.in-chain.pem"
certificateKeyFile="conf/ssl/_.webapp.org.in-key.pem"
type="RSA" /#
#/SSLHostConfig#

1 Like

You are quite welcome. :slightly_smiling_face:

That is a very wise question. :bulb: :sparkling_heart:

I'm not exactly sure how you've got your win-acme configured to acquire your certificate, but since you're using a wildcard certificate, you are clearly fulfilling a dns-01 challenge.

This page offers instructions for dns challenge automation for various DNS providers:

https://www.win-acme.com/reference/plugins/validation/dns/

If none of those work for your purposes, you might consider using acme-dns:

1 Like

Regarding acme-dns as a way to automate DNS challenges, also check out Certify DNS which is a managed cloud implementation of acme-dns and can be used with various acme-dns compatible clients (not just Certify The Web) certifydns | Certify The Web Docs

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.