SSLLabs and extra certs to be downloaded

Quix0r · February 27, 2021, 12:54am

Continuing the discussion from Incomplete, Extra intermediate chain certificate:

I currently try to fix this by downloading https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem to my installation. I use acme-tiny and a custom shell script to let sign (acme-tiny), create the final certificate file and restart Apache server so I can half-automate it here.

But SSLLabs still says the same missing cert in chain (R3). How can I fix my script?

#!/bin/sh

# Generates the cross-signed certificate with DH parameters and restarts web service

ACME_TINY_BIN="/var/www/letsencrypt/acme-tiny/acme_tiny.py"
ACCOUNT_KEY_FILE="/var/www/letsencrypt/account.key"
CHALLENGES_PATH="/var/www/letsencrypt/challenges/"
TEMP_PATH="/tmp/acme-tiny"
CERT_BASE_PATH="/etc/ssl/zulu289"
WWW_DATA_USER="www-data"
LETSENCRYPT_R3_PEM_FILE="/etc/ssl/certs/lets-encrypt-r3-cross-signed.pem"
TEMP_CERT_FILE="${TEMP_PATH}/signed.crt"
MAIL_NAME="mail"
MAIL_USER_GROUP="courier.postfix"
WWW_USER_GROUP="root.www-data"

if [ -z "$1" ]
then
        echo "Usage: $0 <project>"
        exit 1
elif [ ! -f "${ACME_TINY_BIN}" ]
then
        echo "$0: acme-tiny client is missing. Aborting ..."
        exit 255
elif [ ! -d "${TEMP_PATH}" ]
then
        mkdir "${TEMP_PATH}"
fi

if [ ! -f "${LETSENCRYPT_R3_PEM_FILE}" ]
then
        echo "$0: Cannot fine '${LETSENCRYPT_R3_PEM_FILE}', downloading ..."
        wget https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem -O "${LETSENCRYPT_R3_PEM_FILE}"
        chmod -c a+r "${LETSENCRYPT_R3_PEM_FILE}"
fi

CSR_FILE="${CERT_BASE_PATH}/$1.csr"
CERT_FILE="${CERT_BASE_PATH}/certs/$1.crt"
TARGET_PEM_FILE="${CERT_BASE_PATH}/certs/$1.pem"

if [ ! -f "${CSR_FILE}" ]
then
        echo "$0: CSR file '${CSR_FILE}' does not exist."
        exit 1
elif [ ! -f "${TARGET_PEM_FILE}" ]
then
        echo "$0: Certificate file '${TARGET_PEM_FILE}' does not exist."
        exit 1
fi

echo "$0: Running '${ACME_TINY_BIN}' ..."
sudo -u "${WWW_DATA_USER}" python ${ACME_TINY_BIN} --account-key "${ACCOUNT_KEY_FILE}" --csr "${CSR_FILE}" --acme-dir "${CHALLENGES_PATH}" > "${TEMP_CERT_FILE}" || exit 255

echo "$0: Copying certificate '${TARGET_PEM_FILE}' ..."
cp "${TEMP_CERT_FILE}" "${TARGET_PEM_FILE}"

echo "$0: Generating DH params ..."
openssl dhparam 2048 >> "${TARGET_PEM_FILE}" || exit 255

echo "$0: Fixing permissions ..."
chmod -c a+r "${TARGET_PEM_FILE}"
if [ "$1" = "${MAIL_NAME}" ]
then
        chown -c ${MAIL_USER_GROUP} "${TARGET_PEM_FILE}" || exit 255
else
        chown -c ${WWW_USER_GROUP} "${TARGET_PEM_FILE}" || exit 255
fi

if [ "$1" = "${MAIL_NAME}" ]
then
        echo "$0: Attaching cert file ... (please fix)"
        cat "${TEMP_CERT_FILE}" >> "${CERT_FILE}"
        ${EDITOR} "${CERT_FILE}"
        echo "$0: Reloading Postfix/Courier ..."
        service postfix restart
        service courier-imap-ssl restart
        /etc/init.d/courier-pop-ssl restart
else
        echo "$0: Reloading Apache ..."
        service apache2 reload
fi

echo "$0: Cleaning ..."
rm -f "${TEMP_CERT_FILE}"

echo "$0: All done."
exit 0

What am I doing wrong? acme-tiny is up-to-date:

GIT URL: https://github.com/diafygi/acme-tiny.git
Last commit: 0a9afb2b72bafad29d172f9d3d704ef979530fe3

Or am I having an abandoned project? I would love to stay with acme-tiny as it worked for several years by now.

PS: Didn't work with the updated version linked in ticket Add support for alternate chains · Issue #255 · diafygi/acme-tiny · GitHub
Edit: Updated script, removed X3 parts from it, fixed group name and courier-pop-ssl name

_az · February 27, 2021, 2:28am

Looking at acme-tiny's code, signed.crt should already contain both the leaf certificate and correct intermediate certificate(s).

More broadly, it's not necessary to download any external certificates when using ACME. It's all self-contained in the protocol.

If SSL Labs is complaining that Apache is not sending the correct intermediates, the two pieces of information that would be valuable are:

Your Apache configuration, and
The contents of the certificate files that the Apache configuration is referencing

Quix0r · February 27, 2021, 12:41pm

That was an eye-opener. Thank you. The SSL-related entries in Apache look like this now:

SSLCertificateFile /etc/ssl/zulu289/certs/cloud.pem
SSLCertificateKeyFile /etc/ssl/zulu289/private/cloud-key.pem
SSLCertificateChainFile /etc/ssl/certs/lets-encrypt-r3-cross-signed.pem

The last line was pointing at the X3 cross-signed certificate, not the R3 one. So I can dump the certificate download all together from my script? I guess I still need it for Courier and ejabberd.

Quix0r · February 27, 2021, 12:43pm

But how get I the SSL certificate fixed in Courier?

TLS_DHCERTFILE=/etc/ssl/zulu289/certs/mail.pem
TLS_CERTFILE=/etc/ssl/zulu289/certs/mail.crt

Does the PEM and/or CRT file contain the R3 certificate?

ejabberd.yml says this:

certfiles:

"/etc/ssl/zulu289/private/*friendica-key.pem"

"/etc/ssl/zulu289/private/*cloud-key.pem"

"/etc/ssl/zulu289/certs/*friendica.pem"

"/etc/ssl/zulu289/certs/*cloud.pem"

The files in /certs/ may contain the X3 certificate and ejabberd doesn't allow any option as Apache does.

Osiris · February 27, 2021, 1:37pm

Note that you should NOT hardcode an intermediate certificate. As @_az already said, it's provided by acme-tiny automatically.
Hardcoding intermediates will lead to the same issues if and/or when Let's Encrypt changes the intermediate again somewhere in the future, which might be un-announced due to an incident with R3.

Quix0r · February 27, 2021, 1:39pm

It was maybe a desperate attempt to fix the SSL trouble I had back then. Thank you, I dump these lines now.

So I definitely don't need to download+include it in my above script?

Osiris · February 27, 2021, 1:40pm

Depending on your Apache version you might actually require the SSLCertificateChainFile directive. Just don't hardcode its value.

I didn't look in depth into your script (from a "distance" it looks kinda too elaborate for its purpose), but I just want to stress that hardcoding the URL isn't correct.

Quix0r · February 27, 2021, 2:01pm

I found the R3 twice in all certificate files (first line MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA found twice). Now I removed the old X3 certificate from all my PEM files. Test results should improve. Thank you.

system · March 29, 2021, 2:02pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SSLLabs saying "This server's certificate chain is incomplete." Help	48	213	August 23, 2024
Issues with certificate chain after latest renewal Help	3	737	January 16, 2021
(acme-tiny) - OpenSSL Update Causes Issues with Client Help	3	1099	July 6, 2017
Incomplete, Extra intermediate chain certificate Help	10	2486	January 29, 2021
I need help with acme.sh Help	37	2834	September 12, 2021

SSLLabs and extra certs to be downloaded

Related topics