SSL chain verification problems

apache-2.2 ssl godaddy

5,300

You're missing the certificate chain. Follow GoDaddy's Instructions, make sure you install their Intermediate certificates (commonly called a chain, or bundle as well)

GoDaddy supports Internet Censorship. You should seriously reconsider funding them. Especially when you can get SSL Certificates for Free.

For Apache 2.2.x, you need all three of the following (for a standard configuration)

SSLCertificateFile /path/to/public/key_file
SSLCertificateKeyFile /path/to/private/key_file
SSLCertificateChainFile /path/to/chain/file

You're likely missing that last one.

5,300

Author by

jemminger

I'm a full-stack Ruby on Rails dev for TxtSignal.com

Updated on September 18, 2022

Comments

jemminger over 1 year
I've installed a new SSL certificate using SHA2 hashing instead of SHA1. My chain checks out using these online verifiers:
- http://www.sslshopper.com/ssl-checker.html
- http://www.digicert.com/help/
However this one tells me it can't find the Root CA:
- http://www.geocerts.com/ssl_checker
How do I fix this?

Edit: Derp, here's the URL: secure.symt.us

This is on Apache2 on CentOS.

I have followed GoDaddy's setup instructions to the letter and restarted the server.

Edit 2, apache vhost conf:
```
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle-g2.crt
```
==== [SOLVED] ====

The problem turned out to be that my vhost was defined as <VirtualHost *:443>. Changing it to the server's IP address <VirtualHost xx.xx.xx.xx:443> fixed it.

There was a catch-all default <VirtualHost _default_:443> albeit without an SSLCertificateChainFile directive. Grepping /etc/httpd for SSLCertificateChainFile returned only my directive.

Perhaps apache has its own default SSLCertificateChainFile internally and refused to send mine when configured as *:443?
jemminger almost 11 years

I've followed their instructions to the letter and I still have the error. Any ideas?
Philip almost 11 years

What version of IIS are you running?
jemminger almost 11 years

Hi Chris, Apache 2 on CentOS, not IIS.
Philip almost 11 years

See edit. Post your SSL* configuration lies if that's not the case.
jemminger almost 11 years

vhost conf posted.
Philip almost 11 years

Must have the wrong chain file: certs.godaddy.com/anonymous/… Running sha1 /path/to/chain/file should return "C62FE90D242CA64F1FFD82BFCAAC1AEF41BDD21D".
jemminger almost 11 years

OK, I've updated the chain directive to point to the correct file (gdig2.crt) and I've verified the sha1 hash and I've restarted the server, and I STILL get the same error from ssllabs.com/ssltest argh. Chrome is reporting the proper intermediate cert though, what the heck is going on?
Philip almost 11 years

You cleared the cache on SSL labs to be sure you're actually retesting? Chrome has many intermediate certificates built-in, for misconfigured servers. If SSL labs still reports a problem you must have another SSLCertificateChainFile directive somewhere in your configuration. The stock httpd.conf in many Linux distros comes with a lot of weird stuff. Running httpd -S will dump the whole configuration as Apache sees it; running it through a grep -i chain might reveal what's going on.
jemminger almost 11 years

Yep, was clearing the cache each time. So I finally found it: using httpd -S showed me that there was a default 443 host, although there were no SSLCertificateChainFile rules other than my one. I remembered having trouble with another SSL server that was using *:443 for the vhost which was resolved by using the IP address. I changed this vhost to use the server's IP, and now it's reporting OK all the way through. Thanks for your help!
jemminger almost 11 years

let us continue this discussion in chat