SSL chain verification problems
You're missing the certificate chain. Follow GoDaddy's Instructions, make sure you install their Intermediate certificates (commonly called a chain, or bundle as well)
GoDaddy supports Internet Censorship. You should seriously reconsider funding them. Especially when you can get SSL Certificates for Free.
For Apache 2.2.x, you need all three of the following (for a standard configuration)
SSLCertificateFile /path/to/public/key_file
SSLCertificateKeyFile /path/to/private/key_file
SSLCertificateChainFile /path/to/chain/file
You're likely missing that last one.
jemminger
I'm a full-stack Ruby on Rails dev for TxtSignal.com
Updated on September 18, 2022Comments
-
jemminger over 1 year
I've installed a new SSL certificate using SHA2 hashing instead of SHA1. My chain checks out using these online verifiers:
However this one tells me it can't find the Root CA:
How do I fix this?
Edit: Derp, here's the URL: secure.symt.us
This is on Apache2 on CentOS.
I have followed GoDaddy's setup instructions to the letter and restarted the server.
Edit 2, apache vhost conf:
SSLEngine on SSLCertificateFile /etc/pki/tls/certs/ca.crt SSLCertificateKeyFile /etc/pki/tls/private/ca.key SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle-g2.crt
==== [SOLVED] ====
The problem turned out to be that my vhost was defined as
<VirtualHost *:443>
. Changing it to the server's IP address<VirtualHost xx.xx.xx.xx:443>
fixed it.There was a catch-all default
<VirtualHost _default_:443>
albeit without an SSLCertificateChainFile directive. Grepping /etc/httpd for SSLCertificateChainFile returned only my directive.Perhaps apache has its own default SSLCertificateChainFile internally and refused to send mine when configured as *:443?
-
jemminger almost 11 yearsI've followed their instructions to the letter and I still have the error. Any ideas?
-
Philip almost 11 yearsWhat version of IIS are you running?
-
jemminger almost 11 yearsHi Chris, Apache 2 on CentOS, not IIS.
-
Philip almost 11 yearsSee edit. Post your SSL* configuration lies if that's not the case.
-
jemminger almost 11 yearsvhost conf posted.
-
Philip almost 11 yearsMust have the wrong chain file: certs.godaddy.com/anonymous/… Running
sha1 /path/to/chain/file
should return "C62FE90D242CA64F1FFD82BFCAAC1AEF41BDD21D". -
jemminger almost 11 yearsOK, I've updated the chain directive to point to the correct file (gdig2.crt) and I've verified the sha1 hash and I've restarted the server, and I STILL get the same error from ssllabs.com/ssltest argh. Chrome is reporting the proper intermediate cert though, what the heck is going on?
-
Philip almost 11 yearsYou cleared the cache on SSL labs to be sure you're actually retesting? Chrome has many intermediate certificates built-in, for misconfigured servers. If SSL labs still reports a problem you must have another SSLCertificateChainFile directive somewhere in your configuration. The stock
httpd.conf
in many Linux distros comes with a lot of weird stuff. Runninghttpd -S
will dump the whole configuration as Apache sees it; running it through agrep -i chain
might reveal what's going on. -
jemminger almost 11 yearsYep, was clearing the cache each time. So I finally found it: using httpd -S showed me that there was a default 443 host, although there were no SSLCertificateChainFile rules other than my one. I remembered having trouble with another SSL server that was using *:443 for the vhost which was resolved by using the IP address. I changed this vhost to use the server's IP, and now it's reporting OK all the way through. Thanks for your help!
-
jemminger almost 11 years