2

I just moved one of my websites to https, using Letsencrypt.

I am using Linux, and my Chromium correctly verifies website certificate, but Firefox shows it as invalid. I also have an API on the website, and using a simple PHP script (with curl) to test API also gives invalid certificate error.

I tried downloading curl certificate bundle, and giving it to my PHP script. No luck, as I have found the provided bundle is generated from Mozilla.

The question is, is Letsencrypt really OK to use? Any sources to find more information about this? I don't want my users to see the ugly browser page, saying website is not secure, because I have online payment in website and it really hurts business.

UPDATE: Here is my sample Apache configuration:

SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/example.com/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/example.com/privkey.pem"

And just to mention, I am running CentOS 7 with Apache 2.4.

UPDATE2: I just found that my Android phone also treats website as invalid. HTC M8, both Chrome and Firefox give invalid certificate. Phone is updated (Android 6).

I just suspect the configuration is maybe wrong somehow, but why Chromium on my PC gives a green light?

vfsoraki
  • 123
  • 5
  • If you're running an online store, you should probably be using a full EV cert - LE doesn't offer any insurance or anything in the event that it does get compromised. LE is mainly intended to prevent casual eavesdropping and increase the proportion of sites that support TLS. Still secure, but no guarantees. – SomeoneSomewhereSupportsMonica Apr 23 '16 at 15:58
  • I have used letsencrypt with all major browsers supporting it without any issue. Make sure you have the server certificate, key, and full chain configured correctly. As regards the EV cert, EV is about trust and not security. Also, I would say if properly configured, Letsencrypt will be much better than a paid certificate. – void_in Apr 23 '16 at 16:00
  • @SomeoneSomewhere thanks, I will look into it. The store belongs to an organization, and they have a bunch of websites. I am trying to convince them to get a multiple domain certificate for all their websites, but now LE just does good. – vfsoraki Apr 23 '16 at 16:18
  • @void_in I have updated answer with my Apache configuration. I searched and found the configuration to be used by people. So I assume it should be correct. – vfsoraki Apr 23 '16 at 16:20
  • The configuration is incorrect. SSLCertificateFile should contain the server.crt file you received while the fullchain.pem should be in the SSLCertificateChainFile directive. – void_in Apr 23 '16 at 16:23
  • @void_in But the documentation says SSLCertificateChainFile is obsolete, instead use SSLCertificate file. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatechainfile – vfsoraki Apr 23 '16 at 16:26
  • Ah. Didn't use Apache 2.4 before. I have done this on Apache 2.2. From the description, you need to do this: cat server.pem fullchain.pem > mycert.pem. Then set the SSLCertificateFile to mycert.pem. – void_in Apr 23 '16 at 16:28
  • @void_in I already have 3 files `cert.pem`, `chain.pem`, and `fullchain.pem` in domain directory. The relation is like `cat cert.pem chain.pem > fullchain.pem`, so I assume what you say is already done in `fullchain.pem`. Interesting. – vfsoraki Apr 23 '16 at 16:34

1 Answers1

4

I just suspect the configuration is maybe wrong somehow, but why Chromium on my PC gives a green light?

If you check your site with SSLLabs you will probably see that it has chain issues, i.e. missing an intermediate certificate. Chrome on Desktop tries to fill in missing certificates by itself and thus works. Firefox will only fill in a missing intermediate if it knows it from some earlier visit to some other site. Mobile browsers will usually not try to work around server side misconfiguration this way and neither to PHP, Python, Java... .

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • You are right, there is a chain issue. After analysis, SSLLabs says `Incomplete` for `Chain Issues`. Also, in `Certificate Paths`, the second certificate (LE itself) is marked with `Extra Download`. I don't get it clearly, can you explain it a bit please? In the mean time, your answer is correct. – vfsoraki Apr 23 '16 at 17:35
  • @thelastblack: Your server has a wrong configuration in that it is not sending all necessary intermediate certificates. Hard to tell what exactly the problem is without having access to the server configuration. Typical errors are missing certificate or wrong certificate in chain. But such details would be a question for serverfault.com anyway and in fact there a [lots of questions there](https://www.google.de/search?q=serverfault+missing+intermediate+certificate+apache) which already deal with this problem. – Steffen Ullrich Apr 23 '16 at 17:40
  • I don't get it. Apache docs says `SSLCertificateFile` should also load intermediate certificates too. But I just changed `SSLCertificateFile` to `cert.pem` and `SSLCertificateChainFile` to `chain.pem` and restarted Apache, and it worked. `fullchain.pem` is concatenation of those files, so based on docs it should have worked too. – vfsoraki Apr 23 '16 at 18:12
  • @thelastblack: I have no idea which version of apache you are running but according to [the documentation](https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#page-header) you would need at least version 2.4.8 if you want to include the chain into `SSLCertificateFile`. Apart from that again: details on the configuration are off-topic here and on-topic at serverfault.com. – Steffen Ullrich Apr 23 '16 at 18:15
  • The last off-topic comment: my Apache version is 2.4.6 :) – vfsoraki Apr 23 '16 at 18:20