SSLCertificateChainFile is obsolete

17,384

Solution 1

Taken from the Apache 2.4 Module mod_ssl documentation:

SSLCertificateFile Directive

The files may also include intermediate CA certificates, sorted from leaf to root. This is supported with version 2.4.8 and later, and obsoletes SSLCertificateChainFile.

What this means is that the SSLCertificateFile directive now (after 2.4.8) accepts files with a full certificate chain (from leaf to root). If you have your server certificate in domain.crt and the CA chain file in domain-ca.crt, you'd need to concatenate both files from leaf to root, i.e. starting with your server certificate, as in

cat domain.crt domain-ca.crt > bundle.crt

and use that file inside your site's conf file:

SSLCertificateFile      /path/to/bundle.crt

(For example, using Ubuntu default path, these files will be stored at /etc/apache2/ssl/.)

Solution 2

For Apache 2.4.8, SSLCertificateChainFile has been made obsolete. However, it's just deprecated and not removed, so you may continue to use the older style. However, for Apache versions > 2.4.8, SSLCertificateChainFile will not work.

SSLCertificateChainFile is deprecated

SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file

source: https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#SSLCertificateChainFile

Old Style (Valid on Apache <= 2.4.8)

#SSL Directives
SSLEngine on
SSLCertificateFile /etc/ssl/certs/<mydomain.com>.crt
SSLCertificateKeyFile /etc/ssl/private/<mydomain.com>.key
SSLCertificateChainFile /etc/ssl/certs/<full-chain-bundle>.crt

source: How to Install an SSL Certificate on Apache

New Style (Valid on Apache >= 2.4.8)

#SSL Directives
SSLEngine on
SSLCertificateFile /etc/ssl/certs/<full-chain-bundle>.crt
SSLCertificateKeyFile /etc/ssl/private/<mydomain.com>.key

source: https://codesport.io/lamp-stack-advanced/lets-encrypt-tutorial/#vhost-config

Share:
17,384

Related videos on Youtube

vaindil
Author by

vaindil

Updated on September 16, 2022

Comments

  • vaindil
    vaindil about 1 year

    I'm on Apache 2.4.12, so SSLCertificateChainFile is now obsolete, and any intermediate certificates are supposed to be included in the server certificate file. I cannot figure out how to do this, however--any combination of certificates other than only the site certificate inside the specified file causes an invalid key error. How do I properly include the intermediate certificate inside the file that I specify using SSLCertificateFile?

  • muz the axe
    muz the axe about 7 years
    Didn't work for me. I removed the <mydomain.com>.crt and then the error messages indicated the certificate and key didn't match.
  • Jonathan Y.
    Jonathan Y. over 6 years
    I think what makes this answer a little confusing is that <full-chain-bundle>.crt appears in both the old and new configuration. If I'm not mistaken, in the old configuration only the CA chain would appear in the file called to by SSLCertificateChainFile, whereas in the new configuration the CA chain should be appended to the server certificate, into a full chain, which is called to by SSLCertificateFile. I attempted to clarify that in my answer.
  • membersound
    membersound almost 2 years
    That's indeed the correct solution: aggregate the .crt + ca_bundle.crt, and use it as SSLCertificateFile.
  • membersound
    membersound almost 2 years
    @JonathanY. is right: you have to merge the domain.crt + chain.crt into a bundle.crt, and then use it as SSLCertificateFile in place. It's not sufficient to only use the <full-chain-bundle>.crt alone, which is what this answer suggests!