This is a report of the topic here, but I am still having this issue.
Hello,
I've been making certificates using win-acme. The web server is 4D. Validation is DNS with DreamHost.
Some SSL checkers say the certificate chain is fine and others report that a valid Root CA could not be located. Why? Geocerts is one of them.
Domain is simon4d.bel.com . Note that this is a different server entirely than bel.com, but that hasn't mattered before.
I'm creating PEM files with the win-acme tool, and 4D uses the full chain and key files. I am not modifying them. There are no settings in 4D pertaining to SSL or management of certificates.
Can anyone view the domain's certificate and tell me what's going on? If it helps, there's a blank htm file here.
Right, but how do I resolve this? 4D has no settings or controls and the only instruction is to put the key.pem and cert.pem in the application directory.
The files are the exact PEM files from the win-acme script, just renamed. The cert is the full chain file, which is what we've used in the past. Should this not be the full chain file?
That might be the case indeed. I have no experience with 4D (nor Windows for that matter), but seeing the chain is send twice, the solution might be to use cert.pem instead of fullchain.pem: perhaps one of the two chains currently send disappears.
That said, even if one of the duplicate certs is removed, the final cert in the chain is still the ISRG Root X1 cert signed by the now expired DST Root CA X3 root certificate, i.e., the "Android compatibility chain" a.k.a. the "long chain". It might be the error does not go away even if just a single chain is send.
This interested me, so I did a quick online search.
Running SSL on that server requires a special plugin/library installed. Make sure it is installed.
2- All the tutorials and info I've read talk about cert.pem having a certificate - not a chain. This makes me wonder if it can support certificates signed by intermediaries, as supporting only a leaf certificate implies the server builds it's own trust path across known intermediates/roots. This wouldn't surprise me, because this server's documentation suggests it is mostly used in contexts where a self-signed or corporate certificate would be used - not a publicly trusted one.
For stuff like this, I find the only real option is to build out a test matrix of different possible combinations in a text document, and test them all - adding detailed notes to each one you tried.
e.g.
Test Leaf Certificate only
Test Leaf Certificate + [Intermediates, ]
Test Leaf Certificate + [Intermediates, ] + Root
I would do this for each of the possible intermediate chains.
The chain you have is: simon4d.bel.com ▶▶ R3 ▶▶ ISRG Root X1 ▶▶ R3 ▶▶ ISRG Root X1 ▶▶ [DST Root CA X3] which looks to me like some confusion matching the intermediate vs root names.
Try setting the Preferred Chain option to ISRG Root X1 in your win-acme config and renew the cert to force the files to be rebuilt (there may be another way to regenerate the files in win-acme but I don't know it).
You may also consider just using a more common web server like IIS, nginx, caddy etc and reverse proxy that back to to your 4D site as http, if not ensure that you are always using the latest version of 4D because webservers are constantly under attack while connected to the internet.