On Tue, Dec 29, 2020 at 01:50:52PM +0000, Stuart Henderson wrote:
> On 2020/12/29 03:37, Chris Bennett wrote:
> > I'm not sure when this problem started. I'm running -current for a long
> > time and once or twice a week I update.
> >
> > Everything was working fine for a long time, so except for updating the
> > certs using base httpd and then putting Apache back on (removing from
> > base httpd.conf first), I wasn't really paying much attention.
> >
> > I noticed that an HTML validator refused to accept the cert.
> > Tried another one and same problem.
> >
> > I revoked the certs (Let's Encrypt) and got new ones. Didn't help.
>
> The problem is that the full certificate chain is not included.
>
Right now, that's not what I get. See below.
> $ openssl s_client -connect bennettconstruction.us:443 -servername
> bennettconstruction.us
> CONNECTED(00000003)
> depth=0 CN = bennettconstruction.us
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = bennettconstruction.us
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> write W BLOCK
> ---
> Certificate chain
> 0 s:/CN=bennettconstruction.us
> i:/C=US/O=Let's Encrypt/CN=R3
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
>
> There should be a second one like this
>
> 0 s:/CN=bennettconstruction.us
> i:/C=US/O=Let's Encrypt/CN=R3
> 1 s:/C=US/O=Let's Encrypt/CN=R3
> i:/O=Digital Signature Trust Co./CN=DST Root CA X3
I'm not getting:
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
$ openssl s_client -connect bennettconstruction.us:443 -servername
bennettconstruction.us
gives me:
depth=0 CN = bennettconstruction.us
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = bennettconstruction.us
verify error:num=20:unable to get local issuer certificate
verify return:1
CONNECTED(00000005)
write W BLOCK
---
Certificate chain
0 s:/CN=bennettconstruction.us
i:/C=US/O=Let's Encrypt/CN=R3
---
Server certificate
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=/CN=bennettconstruction.us
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 2544 bytes and written 411 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 11C6D445CEB191EA74FFE34C108224B336EEA02838C9D88F300B5A6E568570E5
Session-ID-ctx:
Master-Key: Snip
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 19 f9 dc de 12 d1 f3 d2-6a 0c ec 41 f5 26 7c a5 ........j..A.&|.
0010 - 44 f5 06 1d 17 e5 74 f5-22 b3 cc 4e b0 ad 83 39 D.....t."..N...9
0020 - b1 ff 86 b5 1f 7a a0 1a-1e db e3 8f d1 f9 73 97 .....z........s.
0030 - 0b 46 12 1a fe 6b 31 a6-9c 22 fa 3a af 4f aa b1 .F...k1..".:.O..
0040 - 68 33 3d f6 6d bb 1e c9-be 02 2c 66 40 75 75 56 h3=.m.....,f@uuV
0050 - 4e 2c 1a 07 81 4a 63 c0-51 32 b3 26 e1 48 b6 f2 N,...Jc.Q2.&.H..
0060 - 88 e9 b2 2b 1a f6 c4 35-91 0e 93 ba 32 ed 22 40 ...+...5....2."@
0070 - 88 cc b6 36 c0 47 79 1b-d7 60 b8 89 9a 5b 87 a2 ...6.Gy..`...[..
0080 - a0 bd 6a b7 14 9d ad d3-9a 6f 4d e1 f8 68 f2 1f ..j......oM..h..
0090 - 54 3c d3 90 75 02 30 cd-c6 06 65 9e 36 d5 e7 2e T<..u.0...e.6...
00a0 - 5c 3d 35 a4 95 c3 61 40-2c b9 c5 78 8a 80 4b 19 \=5...a@,..x..K.
00b0 - c3 a5 a0 0d a4 39 b1 d7-2b 9e 08 f0 07 64 24 ba .....9..+....d$.
00c0 - a8 db cb 09 86 9f 43 05-06 52 6e a8 e0 fd d7 fb ......C..Rn.....
Start Time: 1609312625
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
closed
I lowered the encryption to the most permissive to rule out any problems
with other software being out of date. Didn't help. Might have done that
after sending this thread.
---------------------------------------------------------------------------
> For Apache you are probably missing setting SSLCertificateChainFile,
> if you're fetching with acme-client then this config option should point
> at a file written with either of these options
>
> domain chain certificate
> domain full chain certificate
>
So, as far as I can see, there is:
/etc/ssl/cert.pem
/etc/acme/letsencrypt-privkey.pem (I didn't notice this file until
looking at acme-client.conf
Are there any other files I didn't notice?
> Don't use a manually fetched file for this as it will change from time
> to time.
OK, didn't know that. Thanks.
I'll play around with this new info and see what I get. I'll post
whatever works or fails either way.
I'll also do some more reading, but not on the Apache site. I hate to
criticize, but the documentation there just isn't maintained and is very
dated.
Appreciate the help.
Chris Bennett
