Strange loop of the chain

Hi!

We installed an SSL certificate on Mac OS 10.14.6. via the Let's Enrcypt Certbot 1.10.1.

sudo certbot certonly --standalone

The server of our applications (iPhone app and webapp) listen on port 9090 and 9092.

Since our applications expect the certificate to be in a specific location and with a specific name, we symlinked to it from the Let's Enrypt directory:

ln -s /etc/letsencrypt/live/topix.mapz.com/fullchain.pem '/Applications/TOPIX/TOPIX Server/TOPIX Server.app/Contents/Server Database/cert.pem'

ln -s /etc/letsencrypt/live/topix.mapz.com/privkey.pem '/Applications/TOPIX/TOPIX Server/TOPIX Server.app/Contents/Server Database/key.pem'

An SSL check with SSL Shopper now shows a valid certificate for port 9092, but with 20 chain certificates:

https://www.sslshopper.com/ssl-checker.html#hostname=https://topix.mapz.com:9092

Looks like a loop. Nevertheless the iPhone app is reachable.

On port 9090 there are "only" three chain certificates, but the root certificate again seems to point to the installed SSL certificate. The webapp reports "PR_END_OF_FILE_ERROR".

Another check at namecheap reports "The order of certificates is invalid or certificates cannot build certification path" for both ports.

https://decoder.link/sslchecker/topix.mapz.com/9092

Do you have any idea about this? Thanks in advance"

Tim

--

My domain is: topix.mapz.com:9092

I ran this command:
sudo certbot certonly --standalone

ln -s /etc/letsencrypt/live/topix.mapz.com/fullchain.pem '/Applications/TOPIX/TOPIX Server/TOPIX Server.app/Contents/Server Database/cert.pem'

ln -s /etc/letsencrypt/live/topix.mapz.com/privkey.pem '/Applications/TOPIX/TOPIX Server/TOPIX Server.app/Contents/Server Database/key.pem'

The operating system my web server runs on is (include version): Mac OS 10.14.6

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is: Certbot 1.10.1

Hi ans welcome to the LE community forum :slight_smile:

There is a definite loop there.
Please show:
ls -l /etc/letsencrypt/live/topix.mapz.com/fullchain.pem

Also try:

unlink '/Applications/TOPIX/TOPIX Server/TOPIX Server.app/Contents/Server Database/cert.pem'
ln -s /etc/letsencrypt/live/topix.mapz.com/fullchain.pem '/Applications/TOPIX/TOPIX Server/TOPIX Server.app/Contents/Server Database/cert.pem'

and restart service and retest.

If that works, check it later as well.
If it fails after some time, check your cron jobs - they may be messing things up with a previous attempt to make a working fullchain file.

If it fails right away...
Then please show the contents of fullchain.pem:
cat /etc/letsencrypt/live/topix.mapz.com/fullchain.pem

Hi @theword

TOPIX uses cert.pem, so fullchain.pem may be wrong. Use cert.pem instead.

ls -l /etc/letsencrypt/live/topix.mapz.com/fullchain.pem

lrwxr-xr-x 1 root wheel 43 13 Jan 12:02 /etc/letsencrypt/live/topix.mapz.com/fullchain.pem -> ../../archive/topix.mapz.com/fullchain2.pem

Hi @rg305 @JuergenAuer

Thanks a lot, I will check your suggestions and will give feedback.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.