SSLLabs saying "This server's certificate chain is incomplete."

I have installed certbun which is a Certbot alternative that uses the Porkbun API to download and install web server SSL certificates. This gave me a domain.cert.pem, intermediate.cert.pem, private.key.pem, and public.key.pem. I then just appended the domain and intermediate together and tested this cert on my testing site and it looks to not give any more issues. I will now work on getting this automated. Thanks for the tips, especially @MikeMcQ, you're comment about the mismatching R10 and R3 made me realize that perhaps Porkbun was giving me incorrect files so I looked into certbot (certbun) and now it works!

2 Likes

I still see a wrong intermediate chain when connecting to jukelyn.com
There is still an extra R3 intermediate at the end

Try this SSL Checker. It is quicker than SSL Labs which shows this same problem.

Note it will only work about half the time for your domain. Because you still have the private IP '192.168.1.87` in the public DNS which only works on your local network. This SSL Checker chooses randomly from the two IP you have defined so connects properly if it gets the public IP

jukelyn.com. 0 IN A 98.26.44.229
jukelyn.com. 0 IN A 192.168.1.87
3 Likes

I haven't updated the SSL on jukelyn.com yet, I'm sorting out some of the automation part of it and applying it to test.jukelyn.com at the moment.

1 Like

This being said however, I am still seeing R3 there now...

1 Like

Ok...
But why publish a public IP [192.168.1.87] that can't be by the Internet?

3 Likes

Show us those details.
And how the cert is being built/served.

3 Likes

I don't have a way of going to the site from my LAN using the domain name so I just had that setup so that if i'm on my LAN I can use the domain as well. I'm unaware of another way to do this at the moment.

It's here https://decoder.link/sslchecker/test.jukelyn.com/443 this is the SSLLabs one SSL Server Test: test.jukelyn.com (Powered by Qualys SSL Labs)

Can't you make a hosts file entry?

2 Likes

I can but I am not aware of how to do that, should I look into that first and then come back to the SSL issue?

Enable hairpinning on your router so the public IP Address will get sent back to the local LAN when requested from the local LAN.

2 Likes

It doesn't look like my router supports this. Unless it's hidden somewhere and I can't find the setting. I'm using a Spectrum SAX1V1S.

[the simple solution]

OR...
You can run your own internal DNS forwarding server and override that FQDN with the local IP.

3 Likes

This is on the list of projects that I am hoping to get setup soon.

Then Mike’s suggestion is very likely the best and easiest option.

I edit it with this command sudo vi /etc/hosts

2 Likes

I'm aware how to edit it but I'm unsure of what the entry itself would be.

Check man hosts

2 Likes

192.168.1.87 jukelyn.com test.jukelyn.com whatever.names.you.need.jukelyn.com

OR write them individually [for ease of reading]:
192.168.1.87 jukelyn.com
192.168.1.87 test.jukelyn.com
192.168.1.87 whatever.names.you.need.jukelyn.com

3 Likes

Doing this broke a lot of my things that I had set up with my reverse proxy... I'll look into it further later though. Thanks !

2 Likes

Where did you do that?
[it's only required on the LAN based client side - not the server side]

Note: If you have Windows client(s), the location of the "hosts" file is:
%SystemRoot%\system32\drivers\etc

3 Likes