Validator.w3.org fails because of Let's Encrypt Cert?

I was trying to validate this web page which led to this URL

https://validator.w3.org/check?uri=https%3A%2F%2Ffiles.luo.ma%2Fview%2FMacSparky-Shortcuts-for-iOS-13-Shortcuts-Field-Guide.html&charset=(detect+automatically)&doctype=Inline&group=0

which failed with this error message:

500 Can't connect to files.luo.ma:443 (SSL connect attempt failed error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type)

Then I tried it at http://www.htmlhelp.com/cgi-bin/validate.cgi?url=https%3A%2F%2Ffiles.luo.ma%2Fview%2FMacSparky-Shortcuts-for-iOS-13-Shortcuts-Field-Guide.html&warnings=yes and was told

SSL negotiation failed:

As far as I can tell the SSL cert for https://files.luo.ma is fine, but obviously these folks think differently.

I'm not sure how to proceed, so I'm hoping someone here might have a suggestion.

Thanks for your time.

Your certificate chain is weird. You need to send just the leaf certificate and the intermediate.

Currently you are sending:

  • Leaf
  • Leaf again
  • Intermediate
  • Root

I don’t know if that’s the reason those tools are breaking, but it’s possible.

I’m sorry, but I’m entirely new at SSL certificates with Let’s Encrypt, and I do not know what a certificate chain is or how to change it.

I do know how to view the details of a certificate in Safari and Chrome, but I’m not sure what to look for, or where to look for what is weird vs normal.

I tried googling and there are 10k+ articles but they all seem to presume I know what I’m looking for and just need to know how to get to each certificate on each computer.

Hi @tjluoma

you can't see that with a browser. Use the (raw) OpenSsl or online tools.

Checking your domain - https://check-your-website.server-daten.de/?q=files.luo.ma#connections

Your server sends the files.luo.ma two times. And your server sends the root certificate. Both is wrong.

A correct output - https://check-your-website.server-daten.de/?q=server-daten.de#connections

The own certificate - only one. No root certificate, because the client has his own list of root certificates.

You have an Apache

Server: Apache

Share your vHost configuration file.

1 Like

Thank you for the information. I knew there had to be a tool like that out there, but I failed to find any.

Here is my vHost file

<VirtualHost 127.0.0.1:34543>
	ServerName https://files.luo.ma:443
	ServerAdmin admin@example.com
	DocumentRoot "/Volumes/Media/Dropbox/Sites/files.luo.ma"
	DirectoryIndex index.html index.php default.html
	CustomLog /var/log/apache2/access_log combinedvhost
	ErrorLog /var/log/apache2/error_log
	<IfModule mod_ssl.c>
		SSLEngine Off
		SSLCipherSuite "HIGH:MEDIUM:!MD5:!RC4:!3DES"
		SSLProtocol -all +TLSv1.2
		SSLProxyEngine Off
		SSLCertificateFile "/etc/certificates/files.luo.ma.33D315BF61ACBBD4068903DDC376DA7E44288693.cert.pem"
		SSLCertificateKeyFile "/etc/certificates/files.luo.ma.33D315BF61ACBBD4068903DDC376DA7E44288693.key.pem"
		SSLCertificateChainFile "/etc/certificates/files.luo.ma.33D315BF61ACBBD4068903DDC376DA7E44288693.chain.pem"
		SSLProxyProtocol -all +TLSv1.2
		SSLProxyCheckPeerCN off
		SSLProxyCheckPeerName off
	</IfModule>
	<IfModule mod_secure_transport.c>
		MSTEngine Off
		MSTCipherSuite HIGH, MEDIUM
		MSTProtocolRange TLSv1.2 TLSv1.2
		MSTProxyEngine On
		MSTIdentity SHA-256:b0f7e479d45ff737c8b363d7c58d38700b3d3725b2940838c22877d09c39abcb:"files.luo.ma"
		MSTProxyProtocolRange TLSv1.2 TLSv1.2
	</IfModule>
	<Directory "/Volumes/Media/Dropbox/Sites/files.luo.ma">
		Options All -Indexes -ExecCGI -Includes +MultiViews
		AllowOverride All
		<IfModule mod_dav.c>
			DAV Off
		</IfModule>
		<IfDefine !WEBSERVICE_ON>
			Require all denied
			ErrorDocument 403 /customerror/websitesoff403.html
		</IfDefine>
	</Directory>
</VirtualHost>

I have to admit that until I searched it out, I have never actually seen this file. It must have been generated by the Server.app on macOS, but I assume that I can edit this as needed.

I’m also assuming there’s no confidential information here or anything. I really wish I understood this better.

Thanks for your time and patience. I am pleased to learn more about this, especially as Apple moves to deprecate its server functionality.

1 Like

That's

duplicated. "key" is your private key, that's ok (don't share the content of that file).

cert.pem is normally your own certificate. Looks like chain.pem contains your own, the Letsencrypt and the root certificate.

Share the content or check, if there are three certificates. If yes, remove the last (that's the root) and use that file as "SSLCertificateFile", remove the "SSLCertificateChainFile".

PS: First make a backup of all three files.

1 Like

All three files exist:

-rw-r--r-- 1 root wheel     1903 Sep 13 06:37 /etc/certificates/files.luo.ma.33D315BF61ACBBD4068903DDC376DA7E44288693.cert.pem
-rw-r--r-- 1 root wheel     4750 Sep 13 06:37 /etc/certificates/files.luo.ma.33D315BF61ACBBD4068903DDC376DA7E44288693.chain.pem
-rw-r----- 1 root certusers 1751 Sep 13 06:37 /etc/certificates/files.luo.ma.33D315BF61ACBBD4068903DDC376DA7E44288693.key.pem

I've removed the last entry

<VirtualHost 127.0.0.1:34543>
	ServerName https://files.luo.ma:443
	ServerAdmin admin@example.com
	DocumentRoot "/Volumes/Media/Dropbox/Sites/files.luo.ma"
	DirectoryIndex index.html index.php default.html
	CustomLog /var/log/apache2/access_log combinedvhost
	ErrorLog /var/log/apache2/error_log
	<IfModule mod_ssl.c>
		SSLEngine Off
		SSLCipherSuite "HIGH:MEDIUM:!MD5:!RC4:!3DES"
		SSLProtocol -all +TLSv1.2
		SSLProxyEngine Off
		SSLCertificateFile "/etc/certificates/files.luo.ma.33D315BF61ACBBD4068903DDC376DA7E44288693.cert.pem"
		SSLCertificateKeyFile "/etc/certificates/files.luo.ma.33D315BF61ACBBD4068903DDC376DA7E44288693.key.pem"
		SSLProxyProtocol -all +TLSv1.2
		SSLProxyCheckPeerCN off
		SSLProxyCheckPeerName off
	</IfModule>
	<IfModule mod_secure_transport.c>
		MSTEngine Off
		MSTCipherSuite HIGH, MEDIUM
		MSTProtocolRange TLSv1.2 TLSv1.2
		MSTProxyEngine On
		MSTIdentity SHA-256:b0f7e479d45ff737c8b363d7c58d38700b3d3725b2940838c22877d09c39abcb:"files.luo.ma"
		MSTProxyProtocolRange TLSv1.2 TLSv1.2
	</IfModule>
	<Directory "/Volumes/Media/Dropbox/Sites/files.luo.ma">
		Options All -Indexes -ExecCGI -Includes +MultiViews
		AllowOverride All
		<IfModule mod_dav.c>
			DAV Off
		</IfModule>
		<IfDefine !WEBSERVICE_ON>
			Require all denied
			ErrorDocument 403 /customerror/websitesoff403.html
		</IfDefine>
	</Directory>
</VirtualHost>

and I did sudo apachectl restart but https://check-your-website.server-daten.de/?q=files.luo.ma#connections still shows a duplication.

That's

the saved result created yesterday. Recheck the domain.

https://validator.w3.org/check?uri=https%3A%2F%2Ffiles.luo.ma%2Fview%2FMacSparky-Shortcuts-for-iOS-13-Shortcuts-Field-Guide.html&charset=(detect+automatically)&doctype=Inline&group=0 still says

500 Can't connect to files.luo.ma:443 (SSL connect attempt failed error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type)

Now there is a recheck of your domain, 8 hours old - https://check-your-website.server-daten.de/?q=files.luo.ma

But it’s again wrong - 4 certificates instead of two:

Chain - duplicate certificates	
	1	CN=files.luo.ma
	
	2	CN=files.luo.ma
	
	3	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
	
	4	CN=DST Root CA X3, O=Digital Signature Trust Co.

Did you restart your server?

If yes, share the content of your public certificate:

SSLCertificateFile "/etc/certificates/files.luo.ma.33D315BF61ACBBD4068903DDC376DA7E44288693.cert.pem"

you use.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.