"unable to verfify the first certificate" - cert chain broken, but using fullchain.pem

Multiple sources confirm that the certificate chain for my domain co2avatar.org is seen as incomplete.

I cannot understand why and how to debug this, also I am not an admin and did not work much with certificates yet.

Error messages

for
openssl s_client -connect co2avatar.org:443 -servername co2avatar.org -showcerts
CONNECTED(00000003)
depth=0 CN = sustainable-data-platform.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = sustainable-data-platform.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:CN = sustainable-data-platform.org
   i:C = US, O = Let's Encrypt, CN = R3
# [... SNIP ...]
Server certificate
subject=CN = sustainable-data-platform.org

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2581 bytes and written 431 bytes
Verification error: unable to verify the first certificate
for
curl -v co2avatar.org
* Connected to co2avatar.org (85.214.38.88) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate

SSLLabs show similar results:

Chain issues incomplete

One guess was, that my Apache configuration is broken. But I have verified that I am using this in all <VirtualHost :443>:

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/co2-avatar.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/co2-avatar.com/privkey.pem
All, but /etc/letsencrypt/options-ssl-apache.conf, which should not be changed AFAIK

Now I am lost: the fullchain.pem file exists, it contains three certificates. How can I check that the chain there is right? And the server seems to deliver it, but how can I check whether Apache is delivering the right file?

The .pem files have been created by certbot renew and latest command was certbot certonly --cert-name co2-avatar.com -d sustainable-data-platform.org,co2avatar.org{,some-more.domains}

Do you need to see some certbot configuration?

The problem is that your Apache is too old. Your Apache is version 2.4.6 (as seen by your HTTP Server header, which says Apache/2.4.6 (CentOS) mod_jk/1.2.48 OpenSSL/1.0.2k-fips PHP/7.2.29). These old versions can only load a single leaf certificate from a file.

For these old versions, you need to additionally set SSLCertificateChainFile, like this:

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/co2-avatar.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/co2-avatar.com/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/co2-avatar.com/privkey.pem

Instead of relying on fullchain.pem to supply all at once. For newer Apache versions (docs say 2.4.8 and up) this is no longer needed and your current configuration would just work. You might want to consider upgrading your OS and/or software packages, in which case the above would not be needed.

3 Likes

Wow, this solved the problem, many thanks!

We should indeed update our OS and packages, but this is not completely in my hands.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.