Two identical certs in full chain?!

Why Let's Encrypt puts 2 identical server's certs into full chain?
It can be seen using openssl s_client.
It will show that 0th and 1st certs in chain are identical, belonging to server.
For example:

openssl s_client -connect smt.st:443
Certificate chain
 0 s:CN = smt.st
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:CN = smt.st
   i:C = US, O = Let's Encrypt, CN = R3
 2 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 3 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3

It started not a long time ago. Maybe in Sep-2023.
Maybe because of that (?) lynx CAN'T verify cert.

lynx smt.st

Hell with it. But git CAN'T verify cert as well.

git clone https://smt.st/git/

Firefox and lots of other apps CAN verify cert.

However, in /etc/letsencrypt/live/smt.st, chain.pem - 2 certs. fullchain.pem - 3 certs.

It doesn't. Probably a misconfigured webserver.

4 Likes

What I've got in Apache conf. Anything wrong?

<VirtualHost ...
    ServerName          smt.st
    ServerAdmin         ...
...
    DocumentRoot        /home/i/web/smt.st/
    SSLEngine on
    SSLCertificateFile "/etc/letsencrypt/live/smt.st/cert.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live/smt.st/privkey.pem"
    SSLCertificateChainFile "/etc/letsencrypt/live/smt.st/fullchain.pem"
</VirtualHost>

Yes, you've used one or two directive(s) incorrectly. Depending on the Apache version used, either just use SSLCertificateFile with fullchain.pem as value (2.4.8 and newer) (so no SSLCertificateChainFile at all) or use chain.pem as option to SSLCertificateChainFile (for old Apaches).

fullchain.pem also includes cert.pem, so that's why you're Apache is sending it twice: you told it to do so.

5 Likes

Thanks! Sorry for being noob here...

2 Likes

You can find out more about the different files produced by Certbot in the user guide at User Guide — Certbot 2.6.0 documentation (direct link to correct paragraph).

4 Likes

Don't feel too bad; you're a step ahead of most people: You checked whether your server was actually sending the right chain, rather than just assuming that if you could load your site in one web browser somewhere that it must be configured correctly.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.