Hello!
Verifying a certificate gives an error:
openssl s_client -CApath /etc/ssl/certs/ -connect amimanera.de:443
unable to get local issuer certificate
In apache specified
SSLCertificateFile /etc/letsencrypt/live/amimanera.de/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/amimanera.de/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/amimanera.de/chain.pem
Verifying the cert of another server with similar apache-settings the output is fine.
I don’t understand what’s the reason the verfying fails.
Both servers drive Centos7.
Andreas
Hi @porrier
checking your domain you see the problem - https://check-your-website.server-daten.de/?q=amimanera.de
Your ipv4 has the complete chain - your certificate and the Letsencrypt intermediate certificate.
Your ipv6 has only your certificate, the Letsencrypt certificate is missing.
So you have different configurations ipv4 and ipv6. Use your ipv4 as template to fix your ipv6.
2 Likes
Osiris
3
And not only for your chain issue: your whole TLS configuration differs a lot. The cipher suits enabled for IPv6 isn’t very good for example. See https://www.ssllabs.com/ssltest/analyze.html?d=amimanera.de for more info.
1 Like
You should also pass -servername amimanera.de to send the SNI extension like modern clients do, or else you'll get the default certificate.
1 Like
_az
5
They fixed this in OpenSSL 1.1.1 so it's set automatically.
(But OP will need to do it anyway since CentOS 7 is stuck on 1.0.2).
2 Likes
system
Closed
6
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
