This server's certificate chain is incomplete. Grade capped to B. openshift


#1

Hi,
First of all thanks for your great work on trying to make Internet more secure place. I am hosting my app on openshift, so I generated certificates manually:

./letsencrypt-auto -a manual -d www.digrin.com --server https://acme-v01.api.letsencrypt.org/directory --agree-dev-preview

I uploaded those certificates to openshift (I tried chan1.pem as well as fullchain1.pem), but I get B rating and Chain incomplete message.


What am I doing wrong? I used Easy mode when generating certificates. I wrote an article how to implement letsencrypt on openshift with django in Slovak.


Importing LetsEncrypt into Java and Glassfish
#2

My guess is that since you’re providing the cert separately here, it’s expecting a chain that does not include said cert, which fullchain.pem does; try using chain1.pem instead of fullchain1.pem. [Disclaimer: I have no idea what openshift is, this is just a stab based on the set of fields I see here…]

If that doesn’t work, try supplying fullchain1.pem for your “SSL Certificate”, and leave the chain blank.


#3

Hi, it is even possible to fix the chain without requesting an new certificate.
At least in java this is easy to be done. Did you check the content of the two files (cha1+fullchain1) ?


#4

I checked chain1 and fullchain1, they look ok.


#5

As you mentioned, I tried SSL Certificate as fullchain1.pem, chain left blank and used private key as in image from original question. It works and I have grade A now, thanks!


#6

I recommend using the fullchain.pem from the live directory instead of fullchain1.pem from the archive directory. In the future when people are using the automated renewal tools, using fullchain.pem will guarantee that your certificate is automatically updated to the new version whenever you renew. Using fullchain1.pem from archive means that you’ll be stuck on that particular version and will have to manually change your configuration after each certificate renewal.


#7

Thanks for info. On openshift I have to upload certs manually at the moment, so it does not matter. Files in live are symlinked to archive, so I used archive files for upload :slight_smile: I do not have root permission on openshift.


#8

wait a sec you specified the fullchain which contains the cert and the intermediate, try using the chain as intermediate.


#9

I dont understand My1. I used what Kromey suggested and now my domain has A grade:


#10

werll using the fullchain and no intermediate is also a way of doing it.
essentially the same,. you can wither use only the fullchain or cert + chain depending on what the server supports.


#11

I tried using cert1.pem as “SSL Certificate”, chain1.pem as “SSL Certificate Chain” and privkey1.pem as “Certificate private key” but chain incomplete message was still present.


#12

okay now I am really confused…


#13

I might try it again in case I made mistake. If you want to check it.


#14

when you have time, you can try I wont push it, but it is weird since fullchaun is essentially just cert+chain it should also be visible in the file contents

unless your server or CP misbehaves technically it should work.


[Solved] Why isn't my certificate trusted?
#15

So I uploaded all three files as mentioned above. Now I get B rating. Like I said, chain1.pem and fullchain1.pem looks ok - both have

-----BEGIN CERTIFICATE-----

and

-----END CERTIFICATE-----

(fullchain has two certificates)


#16

Yes, chain.pem contains your intermediate, fullchain.pem contains your cert.pem and the chain.pem concatenated.


#17

then it is weird cert.pem + chain.pem does not work while fullchain.pem does. I’ll notify openshift, may be they can help.


#18

Did you figure out what the problem was? I had to upload the fullchain.pem for the certificate and privkey.pem for the private key and that fixed it. I did not upload anything for the chain.


#19

no, nothing new in bug report.


#20

Try uploading the fullchain instead of the certificate and leave the chain field empty.