Wildcard certificates:- Full chain and key. singles are cert, chain and key

Hi,

We had planned on looking at using Letsencrypt certs when out current wildcard expired in July. This was prematurely invalidated further up the chain and so we (like so many others) had to act quickly to replace our certificates. We managed to get the services on one server running with Letsencrypt certificates before we were issued with a free replacement (with an additional 18 months on it) for the invalidated certificate. On the server we managed to switch over we were issued with a certificate, chain (intermediate) certificate and a key. With the release of wildcard certs I have managed to get us a wildcard certificate issued by Letsencrypt, but we only received a fullchain and key. I have installed these on one service so far and as expected (I have had this issue before) Firefox does not like this setup. Most browsers seem to be able to parse the fullchain and break it down, but Firefox looks at the top of the fullcert, takes the first part off and ignores the rest looking for an independant chain file.To go round this I need to break the fullchain into 2 files which is a pain with autorenewal. I think this is a simple task with a nice script, but I only started in this sector a couple of months ago and still need to aquire the finesse that I see in many of the posts here

I just wondered why the decision was taken to provide 2 files for the wildcards while the standard certificates have 3 files. Is it a change between ACMEv1 and ACMEv2?

Thanks
Alan

fullchain.pem contains the leaf certificate and the intermediate certificate. You may split this file up to gain three files or use fullchain.pem - it should not matter.

The decision is not made upon Let's Encrypt but on the client you use.
It also depends on your webserver software and how you configured it.

I was using Certbot, its probable from what you’ve said @bytecamp that when i got my previous certificate certbot took my existing configuration (which was split into cert, chain, and key, to work with Firefox) and gave me the certificates in the format that I needed. With the wildcard i did not see an option to change the default format. Is there a way to get the wildcard in the cert, chain, key format for renewal as like i said before I have no experience of scripting as yet (of course this is a good place to start) and having to remember to manually split the file every 2 months (or even run a script, the certbot renewal was my first brush with cron and not sure if i have done that right yet as still on first issue of certificate), or sooner (if the validity is shortened as indicated as a possibility in the future) is not something i am confident on.

Hi,

What server are you using?
Because it seems to be a server misconfig.

Nginx? Apache?

Thank you

P.S.
Can you also share us your config file for the vHost you mentioned?

Hi @stevenzhu ,

Running Apache 2.4.6 on Centos 7.3.1611

Configuration before wildcard

<VirtualHost *:443>
SSLEngine on
ServerName service1.domain
DocumentRoot /srv/www/service1.domain/
SSLCertificateFile /etc/letsencrypt/live/service2.domain/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/service2.domain/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/service2.domain/chain.pem

After wildcard

<VirtualHost *:443>
SSLEngine on
ServerName service1.domain
DocumentRoot /srv/www/service1.domain/
SSLCertificateFile /etc/letsencrypt/live/domain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
# SSLCertificateChainFile /etc/letsencrypt/live/service2.domain/chain.pem

I did ask certbot to do certonly on the wildcard and edited the service1.conf file to point to the new certificates.
Originally I got 1 cert that covered several services hence the original pathnames.

Hi @raggedyAl,

If you obtained the wildcard certificate using certbot you should have 4 files:

Domain cert /etc/letsencrypt/live/domain/cert.pem
Intermediate cert /etc/letsencrypt/live/domain/chain.pem
Concatenation of cert.pem and chain.pem /etc/letsencrypt/live/domain/fullchain.pem
Private Key /etc/letsencrypt/live/domain/privkey.pem

If you obtained the wildcard cert using a web service or another client you should let us know which one.

In case you already have the 4 files in /etc/letsencrypt/live/domain/ and as you are using Apache 2.4.6 you should modify your Apache conf:

Now:

<VirtualHost *:443>
SSLEngine on
ServerName service1.domain
DocumentRoot /srv/www/service1.domain/
SSLCertificateFile /etc/letsencrypt/live/domain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
# SSLCertificateChainFile /etc/letsencrypt/live/service2.domain/chain.pem
</VirtualHost>

After the change:

<VirtualHost *:443>
SSLEngine on
ServerName service1.domain
DocumentRoot /srv/www/service1.domain/
SSLCertificateFile /etc/letsencrypt/live/domain/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/domain/chain.pem
</VirtualHost>

If you don't have the 4 files, let me know and I will explain how to split the fullchain.pem file.

Cheers,
sahsanu

Did you modify the configuration or did certbot comment out the CertificateChainFile directive? Because certbot ought to know it shouldn’t do that with Apache before 2.4.8.

@Osiris, no that was me that commented it out.

@sahsanu, i honestly didn’t check the contents of the directory. I just went by the congratulations message I got from certbot (see below). It didn’t give any indication that there were additional files received and as this was how our purchased wildcard cert was received I never thought of looking.
Just taking all references to service2 out of my old config should fix it.

Thanks All
Alan

• Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/domain/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/domain/privkey.pem
  Your cert will expire on 2018-06-14. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot
  again. To non-interactively renew all of your certificates, run
  "certbot renew"

• If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
  Donating to EFF: https://eff.org/donate-le

So, is it working fine now?

Firefox is a happy browser now

Hello,

changing the Apache-config from

SSLCertificateFile /etc/letsencrypt/live/domain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain/privkey.pem

to

SSLCertificateFile /etc/letsencrypt/live/domain/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/domain/chain.pem

also did the trick for me, thanks a lot sahsanu!
However my /etc/letsencrypt directory does not contain an options-ssl-apache.conf file.
Would you mind to post its contents?

Thanks,
Andreas

Hi @ace,

You can get the file here https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/options-ssl-apache.conf but keep in mind that this file could override or conflict with your conf if you have those directives defined already.

Cheers,
sahsanu

Thanks again.
Sure, I just wanted to check the content of that file. (Nothing in it though which had not already been applied to my config…)

Cheers,
Andreas

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.