SSL chain verification problems - Barracuda load balancer

ssl pki certificate

5,405

This because you don't have a Chain file in your web server for ssl

To creating a chain file you have to cat every .crt files and redirect it to create a new -bundle.crt

here is the example, There are 3 file what i got from Certificate Authority

sysadmin@localhost:~/Desktop/certificates$ 
sysadmin@localhost:~/Desktop/certificates$ ls -l
total 12
-rw-r--r-- 1 sysadmin sysadmin 1521 May 30  2000 AddTrustExternalCARoot.crt
-rw-r--r-- 1 sysadmin sysadmin 1757 Feb 16  2012 PositiveSSLCA2.crt
-rw-r--r-- 1 sysadmin sysadmin 1793 Jan 18  2014 STAR_nydomain_com.crt

cat the files and direct it into one new file named as -bunle

sysadmin@localhost:~/Desktop/certificates$ cat AddTrustExternalCARoot.crt PositiveSSLCA2.crt STAR_nydomain_com.crt > STAR_nydomain_com-bundle.crt

Here you can see the output of above command, there is a new file STAR_nydomain_com-bundle.crt

sysadmin@localhost:~/Desktop/certificates$ ls -l
total 20
-rw-r--r-- 1 sysadmin sysadmin 1521 May 30  2000 AddTrustExternalCARoot.crt
-rw-r--r-- 1 sysadmin sysadmin 1757 Feb 16  2012 PositiveSSLCA2.crt
-rw-rw-r-- 1 sysadmin sysadmin 5071 Jul 31 12:09 STAR_nydomain_com-bundle.crt
-rw-r--r-- 1 sysadmin sysadmin 1793 Jan 18  2014 STAR_nydomain_com.crt

see the image

Change the Entry for SSL in apache confi or nginx confi as below

  SSLCertificateFile /etc/apache2/ssl/STAR_nydomain_com.crt
  SSLCertificateKeyFile /etc/apache2/ssl/certificate.key
  SSLCertificateChainFile /etc/apache2/ssl/STAR_nydomain_com-bundle.crt

Restart the web server (Apache or nginx)

This will fix your chain file issue.

This is the result if it's work good, chain result will be continue to 4 steps like below image

Result

5,405

Author by

Miguel Resendiz

Updated on September 18, 2022

Comments

Miguel Resendiz over 1 year

I've installed a new SSL certificate using SHA1 hashing. Im user a security certificate by GeoTrust SSL CA - G2 but With WebServices communications I'm getting a PKIX error.

The follow page:

https://www.geocerts.com/ssl_checker

It's getting me the next message:

Certificate Chain Complete? A valid Root CA Certificate could not be located, the certificate will likely display browser warnings.

I hope someone can help me.
- Babin Lonston almost 10 years
  
  Which Web server you using ? Apache or Nginx ?
Mathias R. Jessen almost 10 years

The chain file should only contain intermediate certificates, everything else is a waste of bandwidth
Miguel Resendiz over 9 years

That was the problem, I installed intermaadite certifies and restart server. It was a barracuda load balancer.