The certificate chain in the configuration details of the certificate is invalid

WeLooop · April 7, 2023, 4:11pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: welooop.com

I ran this command:
certbot certonly --manual --preferred-challenges=dns
--email welooop@welooop.com
--server https://acme-v02.api.letsencrypt.org/directory
--agree-tos
-d welooop.com

It produced this output:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/welooop.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/welooop.com/privkey.pem
This certificate expires on 2023-07-05.

My web server is (include version): Oracle Apex in OCI

The operating system my web server runs on is (include version): N/A

My hosting provider, if applicable, is: Oracle Cloud Infrastructure (OCI)

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.5.0

rg305 · April 7, 2023, 4:36pm

The web server seems misconfigured.

curl -Ii https://welooop.com/
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

WeLooop · April 7, 2023, 4:36pm

Hi, Let's Encrypt Experts,

I created a certificate 2.5 months ago, and used it on my website, and it worked. See my previous question thread: Not Secure after certificate was issued

Yesterday I renewed my certificate with the cmd above and it succeeded.

I created a new OCI load balancer with the new/renewed certificate but I got "The certificate chain in the configuration details of the certificate is invalid." my old load balancer and original certificate were deleted and can't be recovered (sorry).

I received 4 files:
cert1.pem
chain1.pem
fullchain1.pem
privkey1.pem

and I used 3 of them to upload:
cert1.pem
chain1.pem
privkey1.pem

But after it failed, I tried basically all different combination, but none worked.

I googled, some mentioned that it needs to include ROOT certificate, my renewed certificate didn't include ROOT certificate?

How do I verify the certificate is valid? or How do I make it work?

Sincerely appreciate your help!

rg305 · April 7, 2023, 4:37pm

You should never include the root certificate.
All systems should already have all the root certificates.

rg305 · April 7, 2023, 4:39pm

That is never the problem.
Unless you have modified the files:

~~Undo the changes.~~
~~Put things back to when they did work.~~

WeLooop · April 7, 2023, 4:40pm

Thank you for your reply!

I followed exactly the same instructions to set up the load balancer (it worked before). Below is the screenshot when filling up certificate:

rg305 · April 7, 2023, 4:41pm

Try using the "short chain".

rg305 · April 7, 2023, 4:45pm

You should use the symlinks in the /live/ folder.
Not the files in the /archive/ folder.
Because when cert1.pem is renewed, it will become cert2.pem and you will have to manually reenter it.
Whereas the symlink will always point to the latest file.

Also, I think you may be able to use just fullchain and privkey [instead of cert, chain, and privkey].

WeLooop · April 7, 2023, 4:46pm

"short chain" is chain1.pem, not "fullchain1.pem", correct? I tried, still the same error.

rg305 · April 7, 2023, 4:48pm

No.
"Short chain" is part of chain and fullchain - but shorter [removing the last cert (when they contain the cross-signed root)]

Please show either one [cert or fullchain] and I can better explain.

fullchain = cert + chain

WeLooop · April 7, 2023, 4:50pm

the symlinks in live folder points to archive, I used root to issue the certbot command, I copied the 4 files in archive folder to /home/ubuntu and chown to ubuntu, so I could winscp as ubuntu to download the files.

In OCI, there are 3 fields and all are mandatory, so I have to use cert , chain , and privatekey, any other ways?

rg305 · April 7, 2023, 4:51pm

Then use three.

But let's try using the "short" chain.
Show chain file and I will explain.

rg305 · April 7, 2023, 4:52pm

This sounds like something that won't be automated.

WeLooop · April 7, 2023, 4:54pm

I see. there are 2 blocks in chain.pem, and 3 blocks in fullchain.pem, let me remove the last block in chain.pem, and try

rg305 · April 7, 2023, 4:56pm

If that works, then you only need to renew the cert and request the "short chain".

That said, you really need to work on a way to automate the renewals.

WeLooop · April 7, 2023, 4:58pm

Sorry, it didn't work, I removed the second/last block in chain.pem, still the same error:
The certificate chain in the configuration details of the certificate is invalid.

WeLooop · April 7, 2023, 5:00pm

Once it works, I will think about automation, but right ow, it is a little overwhelming

WeLooop · April 7, 2023, 5:03pm

here is the chain.pem (before I removed the last block)
chain.pem (3.7 KB)

WeLooop · April 7, 2023, 5:11pm

Once thing I need to mention:
2.5 months ago, I issued:
-d welooop.com,*.welooop.com
to get the certificate, and it actually worked on my site.
As mentioned in the previous thread: Not Secure after certificate was issued - #10 by Osiris
I was told I don't need the wild card, so just let it expire. Yesterday I just issue the command with:
-d welooop.com
Does this make any difference?

rg305 · April 7, 2023, 5:27pm

That is the "long chain".

Did you remove and retry?

Not much.
But it won't cover the "www" name:

Name:    welooop.com
Address: 129.80.187.95

Name:    www.welooop.com
Address: 129.80.187.95

If you also need to cover that name, use:
-d welooop.com -d www.welooop.com