My domain is: outrightsoftware.com
My web server is (include version): Apache/2.4.27
The operating system my web server runs on is (include version): Debian GNU/Linux 8
My hosting provider, if applicable, is: Google
I can login to a root shell on my machine (yes or no, or I don’t know): yes
My website is showing as unsecured by almost all browsers, though SSL Lab result shows A. I have also tried using fullchain.pem instead of cert.pem with no result as suggested in one of the forum.
Please advise.
rg305
November 29, 2017, 9:06am
2
At this point you are sending the public cert and then the public cert and intermediate chain:
Certificate chain
0 s:/CN=outrightsoftware.com
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
1 s:/CN=outrightsoftware.com
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
2 s:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
Please show the lines in the vhost file where you use the cert files.
Thanks for the quick reply. Mentioned below are the lines from httpd-vhosts.conf:
SSLCertificateFile /opt/bitnami/apps/wordpress/letsencrypt/live/outrightsoftware.com/cert.pem
SSLCertificateKeyFile /opt/bitnami/apps/wordpress/letsencrypt/live/outrightsoftware.com/private.pem
SSLCertificateChainFile /opt/bitnami/apps/wordpress/letsencrypt/live/outrightsoftware.com/fullchain.pem
Can you try this. This is what I use on Apache servers, not sure though how you have generated the certs.
SSLCertificateFile /opt/bitnami/apps/wordpress/letsencrypt/live/outrightsoftware.com/cert.pem
SSLCertificateKeyFile /opt/bitnami/apps/wordpress/letsencrypt/live/outrightsoftware.com/privkey.pem
SSLCertificateChainFile /opt/bitnami/apps/wordpress/letsencrypt/live/outrightsoftware.com/chain.pem
This is tried, it was the original config. I changed to fullchain.pem later.
Strange, was worth a shot because I use that on all Apache sites without issue. Did your original config also have privkey.pem instead of private.pem ?
My file is stored as private.pem so I have to change it that.
1 Like
Does fullchain.pem contain two certificates?
Ok I thought that might be the case.
Your web site shows as secure for me in Firefox, Chrome and Safari ??
I opened it using vi editor, it has two begin and end certificate tags. So I guess yes.
Also no errors with Qualsys tests
OK.
Use fullchain.pem with SSLCertificateFile
(instead of cert.pem) and comment out SSLCertificateChainFile
completely, then you should be right.
1 Like
@bytecamp his current config does not give me any errors, are you also seeing the site loading as insecure?
No, but I saw double-propagation of the certificate via openssl s_client. Now it seems to be correct at least from that point of view.
2 Likes
Okay gotya I didn’t dig that deep
Thanks, it is working now. I have also observed that its working on outrightsoftware.com but not on www.outrightsoftware.com .
You seem to have configured a separate VirtualHost
for this domain name, because it sends a self-signed certificate with wrong common name.
$ openssl s_client -connect outrightsoftware.com:443 -servername www.outrightsoftware.com </dev/null | grep -A10 'Certificate chain'
Certificate chain
0 s:/CN=www.example.com
i:/CN=www.example.com
Well, I have kept www.* as ServerAlias now. Should it solve the issue?