SSLLabs and extra certs to be downloaded

Quix0r · February 27, 2021, 12:54am

Continuing the discussion from Incomplete, Extra intermediate chain certificate:

I currently try to fix this by downloading https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem to my installation. I use acme-tiny and a custom shell script to let sign (acme-tiny), create the final certificate file and restart Apache server so I can half-automate it here.

But SSLLabs still says the same missing cert in chain (R3). How can I fix my script?

#!/bin/sh

# Generates the cross-signed certificate with DH parameters and restarts web service

ACME_TINY_BIN="/var/www/letsencrypt/acme-tiny/acme_tiny.py"
ACCOUNT_KEY_FILE="/var/www/letsencrypt/account.key"
CHALLENGES_PATH="/var/www/letsencrypt/challenges/"
TEMP_PATH="/tmp/acme-tiny"
CERT_BASE_PATH="/etc/ssl/zulu289"
WWW_DATA_USER="www-data"
LETSENCRYPT_R3_PEM_FILE="/etc/ssl/certs/lets-encrypt-r3-cross-signed.pem"
TEMP_CERT_FILE="${TEMP_PATH}/signed.crt"
MAIL_NAME="mail"
MAIL_USER_GROUP="courier.postfix"
WWW_USER_GROUP="root.www-data"

if [ -z "$1" ]
then
        echo "Usage: $0 <project>"
        exit 1
elif [ ! -f "${ACME_TINY_BIN}" ]
then
        echo "$0: acme-tiny client is missing. Aborting ..."
        exit 255
elif [ ! -d "${TEMP_PATH}" ]
then
        mkdir "${TEMP_PATH}"
fi

if [ ! -f "${LETSENCRYPT_R3_PEM_FILE}" ]
then
        echo "$0: Cannot fine '${LETSENCRYPT_R3_PEM_FILE}', downloading ..."
        wget https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem -O "${LETSENCRYPT_R3_PEM_FILE}"
        chmod -c a+r "${LETSENCRYPT_R3_PEM_FILE}"
fi

CSR_FILE="${CERT_BASE_PATH}/$1.csr"
CERT_FILE="${CERT_BASE_PATH}/certs/$1.crt"
TARGET_PEM_FILE="${CERT_BASE_PATH}/certs/$1.pem"

if [ ! -f "${CSR_FILE}" ]
then
        echo "$0: CSR file '${CSR_FILE}' does not exist."
        exit 1
elif [ ! -f "${TARGET_PEM_FILE}" ]
then
        echo "$0: Certificate file '${TARGET_PEM_FILE}' does not exist."
        exit 1
fi

echo "$0: Running '${ACME_TINY_BIN}' ..."
sudo -u "${WWW_DATA_USER}" python ${ACME_TINY_BIN} --account-key "${ACCOUNT_KEY_FILE}" --csr "${CSR_FILE}" --acme-dir "${CHALLENGES_PATH}" > "${TEMP_CERT_FILE}" || exit 255

echo "$0: Copying certificate '${TARGET_PEM_FILE}' ..."
cp "${TEMP_CERT_FILE}" "${TARGET_PEM_FILE}"

echo "$0: Generating DH params ..."
openssl dhparam 2048 >> "${TARGET_PEM_FILE}" || exit 255

echo "$0: Fixing permissions ..."
chmod -c a+r "${TARGET_PEM_FILE}"
if [ "$1" = "${MAIL_NAME}" ]
then
        chown -c ${MAIL_USER_GROUP} "${TARGET_PEM_FILE}" || exit 255
else
        chown -c ${WWW_USER_GROUP} "${TARGET_PEM_FILE}" || exit 255
fi

if [ "$1" = "${MAIL_NAME}" ]
then
        echo "$0: Attaching cert file ... (please fix)"
        cat "${TEMP_CERT_FILE}" >> "${CERT_FILE}"
        ${EDITOR} "${CERT_FILE}"
        echo "$0: Reloading Postfix/Courier ..."
        service postfix restart
        service courier-imap-ssl restart
        /etc/init.d/courier-pop-ssl restart
else
        echo "$0: Reloading Apache ..."
        service apache2 reload
fi

echo "$0: Cleaning ..."
rm -f "${TEMP_CERT_FILE}"

echo "$0: All done."
exit 0

What am I doing wrong? acme-tiny is up-to-date:

GIT URL: https://github.com/diafygi/acme-tiny.git
Last commit: 0a9afb2b72bafad29d172f9d3d704ef979530fe3

Or am I having an abandoned project? I would love to stay with acme-tiny as it worked for several years by now.

PS: Didn't work with the updated version linked in ticket Add support for alternate chains · Issue #255 · diafygi/acme-tiny · GitHub
Edit: Updated script, removed X3 parts from it, fixed group name and courier-pop-ssl name

_az · February 27, 2021, 2:28am

Looking at acme-tiny's code, signed.crt should already contain both the leaf certificate and correct intermediate certificate(s).

More broadly, it's not necessary to download any external certificates when using ACME. It's all self-contained in the protocol.

If SSL Labs is complaining that Apache is not sending the correct intermediates, the two pieces of information that would be valuable are:

Your Apache configuration, and
The contents of the certificate files that the Apache configuration is referencing

Quix0r · February 27, 2021, 12:41pm

That was an eye-opener. Thank you. The SSL-related entries in Apache look like this now:

SSLCertificateFile /etc/ssl/zulu289/certs/cloud.pem
SSLCertificateKeyFile /etc/ssl/zulu289/private/cloud-key.pem
SSLCertificateChainFile /etc/ssl/certs/lets-encrypt-r3-cross-signed.pem

The last line was pointing at the X3 cross-signed certificate, not the R3 one. So I can dump the certificate download all together from my script? I guess I still need it for Courier and ejabberd.

Quix0r · February 27, 2021, 12:43pm

But how get I the SSL certificate fixed in Courier?

TLS_DHCERTFILE=/etc/ssl/zulu289/certs/mail.pem
TLS_CERTFILE=/etc/ssl/zulu289/certs/mail.crt

Does the PEM and/or CRT file contain the R3 certificate?

ejabberd.yml says this:

certfiles:

"/etc/ssl/zulu289/private/*friendica-key.pem"

"/etc/ssl/zulu289/private/*cloud-key.pem"

"/etc/ssl/zulu289/certs/*friendica.pem"

"/etc/ssl/zulu289/certs/*cloud.pem"

The files in /certs/ may contain the X3 certificate and ejabberd doesn't allow any option as Apache does.

Osiris · February 27, 2021, 1:37pm

Note that you should NOT hardcode an intermediate certificate. As @_az already said, it's provided by acme-tiny automatically.
Hardcoding intermediates will lead to the same issues if and/or when Let's Encrypt changes the intermediate again somewhere in the future, which might be un-announced due to an incident with R3.

Quix0r · February 27, 2021, 1:39pm

It was maybe a desperate attempt to fix the SSL trouble I had back then. Thank you, I dump these lines now.

So I definitely don't need to download+include it in my above script?

Osiris · February 27, 2021, 1:40pm

Depending on your Apache version you might actually require the SSLCertificateChainFile directive. Just don't hardcode its value.

I didn't look in depth into your script (from a "distance" it looks kinda too elaborate for its purpose), but I just want to stress that hardcoding the URL isn't correct.

Quix0r · February 27, 2021, 2:01pm

I found the R3 twice in all certificate files (first line MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA found twice). Now I removed the old X3 certificate from all my PEM files. Test results should improve. Thank you.

system · March 29, 2021, 2:02pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.