SSL Zen "Failed verification" missing cabundle.crt

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: fredcolclough.com

I ran this command: SSL Zen failed to provide all 3 cert files (cabundle.crt wouldn't download)

It produced this output: Failed verification... HOW DO I GET MY CERTS SINCE cft.sh shows I DO have them! (and I've exceeded the # of certs that can be issued...so clearly I do have a cert, I just can't get it).

My web server is (include version): Apache

The operating system my web server runs on is (include version): Linux Mint 19.1

My hosting provider, if applicable, is: SELF

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO (other than Wordpress -- fredcolclough.com/wpadmin)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot fails.

1 Like

Welcome to the Let's Encrypt Community, Fred :slightly_smiling_face:

While I don't know what to suggest to fix the problem with SSL Zen, as long as you still have your private keys saved in files, you can use their timestamps to pair them with your certificates here:

https://crt.sh/?q=fredcolclough.com

There's a download link "Download Certificate: PEM" on the left on each certificate's page. Be sure that the page says "Leaf certificate" and not "Precertificate" at the top. The certificates are listed in pairs (leaf certificate then precertificate).

You can construct the "full chain" by downloading this intermediate certificate and adding it after your certificate in your certificate file:

https://letsencrypt.org/certs/lets-encrypt-r3.pem

then downloading this intermediate certificate and adding it after the previous intermediate certificate in your certificate file:

https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem

Alternatively (for now), you can download this intermediate certificate instead of the previous two and add it after your certificate in your certificate file:

https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem

The "CA Bundle" is either the first two intermediate certificates I mentioned (together) or the last intermediate certificate I mentioned (alone). Either way will work.

1 Like

Thanks for the quick reply. My apologies, I'm not completely following, but I think we're close!

Can you elaborate on which piece goes into which piece? And filenames? I seem to have all the files, just not sure how to construct them.

You say "...downloading this intermediate cert and adding it after "YOUR CERTIFICATE in your Certificate file"?? Which is 'my' cert file?

If you could just spell it out a bit more I'm sure I'll get there! THANKS!

2 Likes

To be honest, I first recommend that you create another certificate that covers both fredcolclough.com and www.fredcolclough.com instead of just fredcolclough.com. As it currently stands, your existing certificates will create a security hole. The crt.sh link I gave you above will be updated to include your new, expanded certificate within minutes of it being issued.

1 Like

The SSL ZEN plugin wouldn't let me add the 'www.' cert! So I went ahead without it. Plus I'm locked out of creating new certs because I didn't realize it was actually issuing them when it said "verification failed", so I have like a dozen... locked out for a week it appears.

1 Like

No problem. I'll clarify more.

If you need a "full chain" certificate file, it needs to include your certificate (also known as the end-entity or leaf certificate) as well as any intermediate certificates necessary to verify your certificate. There are currently two options there: the first two intermediate certificates together that I mentioned above or the last intermediate certificate alone that I mentioned above. If you remove your certificate from the top of a "full chain" certificate file then that file is known as a "chain" certificate file or CA bundle file.

2 Likes

You have five certificates, of that I can assure you. :slightly_smiling_face: If you click the crt.sh link I gave you above, it will look like you have ten. Every other certificate in that list is a precertificate, which is of no use to you.

1 Like

OK....so which file do I paste into the other file exactly?

1 Like

(I was following the Apache 2 install instructions, which utilized the three cert files)

1 Like

Put these three certificates into a single file (in this order) if you need the full chain in one file:

4511952634.pem (2.1 KB)

https://letsencrypt.org/certs/lets-encrypt-r3.pem

https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem


This is an alternate full chain:

4511952634.pem (2.1 KB)

https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem


This is just your (leaf) certificate:

4511952634.pem (2.1 KB)


This is a CA bundle:

https://letsencrypt.org/certs/lets-encrypt-r3.pem

https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem


This is an alternate CA bundle:

https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem

1 Like

In Apache2, you usually only need to specify the SSLCertificateFile with the full chain file as the parameter and the SSLCertificateKeyFile with the private key file as the parameter. The SSLCertificateChainFile directive is obsolete. If you have an older Apache2 version, specify the SSLCertificateFile with the leaf certificate file (with only your certificate) as the parameter and the SSLCertificateChainFile with a CA bundle file as the parameter.

https://httpd.apache.org/docs/current/mod/mod_ssl.html

1 Like

OK...so since Apache wants the three files:

  • SSLCertificateFile : This is your primary SSL certificate file (certificate.crt)
  • SSLCertificateChainFile : This is your CA-Bundle file (cabundle.crt)
  • SSLCertificateKeyFile : This is your private key file (privatekey.pem)

and I'm missing the CA-bundle...I can simply combine: lets-encrypt-r3.pem with isrg-root-x1-cross-signed.pem? And call it "cabundle.cert"? Then complete the apache instructions?

1 Like

should be cabundle.crt

Otherwise, yep. :slightly_smiling_face:

You got it.

Just make sure that your certificate and private key match.

By the way, I can pretty much guarantee that SSL Zen failed due to the recent chain change where the Let's Encrypt servers were serving this before:

leaf signed by R3
R3 signed by DST Root CA X3

but are serving this now:

leaf signed by R3
R3 signed by ISRG Root X1
ISRG Root X1 signed by DST Root CA X3

1 Like

This is the official page with all the information and a diagram:

The "Subscriber Cert" is just yet another name for your Leaf certificate or End-Entity certificate.

The intermediate certificate links that I gave you came from that page.

1 Like

Be sure to reload Apache once you've updated your configuration files!

sudo apachectl -k graceful

1 Like

Thanks. Working on it...

3 Likes

Out for dinner now. I'll be back later. :slightly_smiling_face:

1 Like

I hope you enjoy dinner! When you're back...

I have the added problem of my server suddenly stopped booting to the GUI.... so terminal is all I have. So I've been 'wget'ing the files you've posted since I can't launch a file explorer.

I put the files where they're supposed to be... and made the edits in the apache2 instructions....still no go. Not sure where I went awry.

I am having some difficulty with verbiage, as it's changing. The files you posted:

  • letsencrypt-r3.pem Is this what you're calling the "private key"? And which apache file is it?
  • isrg-root-x1-cross-signed.pem Which apache file is it?
  • 4511952634.pem Which apache file is it?

I'll get there! Thx again.

1 Like

....So I've tried multiple combinations of those files, to no avail. Not sure what I'm missing.

Can you SSH in and take a look by chance?

1 Like

I'm still enjoying... :slightly_smiling_face: but...

The private key should be alone in a file provided by SSL Zen. Of all the files mentioned, the private key is the only one that you must keep secret. If you don't have it somewhere already, you will need to create a new certificate. That's why I said before that your certificate (or more specifically the public key in it) and the private key must match for anything to work.

4511952634.pem is your SSLCertificateFile

letsencrypt-r3.pem followed by isrg-root-x1-cross-signed.pem in a single file is your SSLCertificateChainFile

1 Like