On 2020/12/29 03:37, Chris Bennett wrote:
> I'm not sure when this problem started. I'm running -current for a long
> time and once or twice a week I update.
>
> Everything was working fine for a long time, so except for updating the
> certs using base httpd and then putting Apache back on (removing from
> base httpd.conf first), I wasn't really paying much attention.
>
> I noticed that an HTML validator refused to accept the cert.
> Tried another one and same problem.
>
> I revoked the certs (Let's Encrypt) and got new ones. Didn't help.
The problem is that the full certificate chain is not included.
$ openssl s_client -connect bennettconstruction.us:443 -servername bennettconstruction.us
CONNECTED(00000003)
depth=0 CN = bennettconstruction.us
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = bennettconstruction.us
verify error:num=20:unable to get local issuer certificate
verify return:1
write W BLOCK
---
Certificate chain
0 s:/CN=bennettconstruction.us
i:/C=US/O=Let's Encrypt/CN=R3
---
Server certificate
-----BEGIN CERTIFICATE-----
There should be a second one like this
0 s:/CN=bennettconstruction.us
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
For Apache you are probably missing setting SSLCertificateChainFile,
if you're fetching with acme-client then this config option should point
at a file written with either of these options
domain chain certificate
domain full chain certificate
Don't use a manually fetched file for this as it will change from time
to time.
No comments:
Post a Comment