SSL chain verification problems - Barracuda load balancer
This because you don't have a Chain file in your web server for ssl
To creating a chain file you have to cat every .crt files and redirect it to create a new -bundle.crt
here is the example, There are 3 file what i got from Certificate Authority
sysadmin@localhost:~/Desktop/certificates$
sysadmin@localhost:~/Desktop/certificates$ ls -l
total 12
-rw-r--r-- 1 sysadmin sysadmin 1521 May 30 2000 AddTrustExternalCARoot.crt
-rw-r--r-- 1 sysadmin sysadmin 1757 Feb 16 2012 PositiveSSLCA2.crt
-rw-r--r-- 1 sysadmin sysadmin 1793 Jan 18 2014 STAR_nydomain_com.crt
cat the files and direct it into one new file named as -bunle
sysadmin@localhost:~/Desktop/certificates$ cat AddTrustExternalCARoot.crt PositiveSSLCA2.crt STAR_nydomain_com.crt > STAR_nydomain_com-bundle.crt
Here you can see the output of above command, there is a new file STAR_nydomain_com-bundle.crt
sysadmin@localhost:~/Desktop/certificates$ ls -l
total 20
-rw-r--r-- 1 sysadmin sysadmin 1521 May 30 2000 AddTrustExternalCARoot.crt
-rw-r--r-- 1 sysadmin sysadmin 1757 Feb 16 2012 PositiveSSLCA2.crt
-rw-rw-r-- 1 sysadmin sysadmin 5071 Jul 31 12:09 STAR_nydomain_com-bundle.crt
-rw-r--r-- 1 sysadmin sysadmin 1793 Jan 18 2014 STAR_nydomain_com.crt
Change the Entry for SSL in apache confi or nginx confi as below
SSLCertificateFile /etc/apache2/ssl/STAR_nydomain_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/certificate.key
SSLCertificateChainFile /etc/apache2/ssl/STAR_nydomain_com-bundle.crt
Restart the web server (Apache or nginx)
This will fix your chain file issue.
This is the result if it's work good, chain result will be continue to 4 steps like below image
Miguel Resendiz
Updated on September 18, 2022Comments
-
Miguel Resendiz over 1 year
I've installed a new SSL certificate using SHA1 hashing. Im user a security certificate by GeoTrust SSL CA - G2 but With WebServices communications I'm getting a PKIX error.
The follow page:
https://www.geocerts.com/ssl_checker
It's getting me the next message:
Certificate Chain Complete? A valid Root CA Certificate could not be located, the certificate will likely display browser warnings.
I hope someone can help me.
-
Babin Lonston almost 10 yearsWhich Web server you using ? Apache or Nginx ?
-
-
Mathias R. Jessen almost 10 yearsThe chain file should only contain intermediate certificates, everything else is a waste of bandwidth
-
Miguel Resendiz over 9 yearsThat was the problem, I installed intermaadite certifies and restart server. It was a barracuda load balancer.