SSL chain verification problems

Question

I've installed a new SSL certificate using SHA2 hashing instead of SHA1. My chain checks out using these online verifiers:

However this one tells me it can't find the Root CA:

http://www.geocerts.com/ssl_checker

How do I fix this?

Edit: Derp, here's the URL: secure.symt.us

This is on Apache2 on CentOS.

I have followed GoDaddy's setup instructions to the letter and restarted the server.

Edit 2, apache vhost conf:

SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle-g2.crt

==== [SOLVED] ====

The problem turned out to be that my vhost was defined as <VirtualHost *:443>. Changing it to the server's IP address <VirtualHost xx.xx.xx.xx:443> fixed it.

There was a catch-all default <VirtualHost _default_:443> albeit without an SSLCertificateChainFile directive. Grepping /etc/httpd for SSLCertificateChainFile returned only my directive.

Perhaps apache has its own default SSLCertificateChainFile internally and refused to send mine when configured as *:443?

Chris S · Accepted Answer · 2013-06-10T18:33:32.813

4

You're missing the certificate chain. Follow GoDaddy's Instructions, make sure you install their Intermediate certificates (commonly called a chain, or bundle as well)

GoDaddy supports Internet Censorship. You should seriously reconsider funding them. Especially when you can get SSL Certificates for Free.

For Apache 2.2.x, you need all three of the following (for a standard configuration)

SSLCertificateFile /path/to/public/key_file
SSLCertificateKeyFile /path/to/private/key_file
SSLCertificateChainFile /path/to/chain/file

You're likely missing that last one.

edited Jun 10 '13 at 18:33

answered Jun 07 '13 at 19:15

Chris S

77,337
11
120
212

I've followed their instructions to the letter and I still have the error. Any ideas? – jemminger Jun 09 '13 at 22:51
What version of IIS are you running? – Chris S Jun 10 '13 at 13:01
Hi Chris, Apache 2 on CentOS, not IIS. – jemminger Jun 10 '13 at 17:36
See edit. Post your SSL* configuration lies if that's not the case. – Chris S Jun 10 '13 at 18:33
vhost conf posted. – jemminger Jun 11 '13 at 14:14
Must have the wrong chain file: https://certs.godaddy.com/anonymous/repository.pki?streamfilename=gdig2.crt&actionMethod=anonymous%2Frepository.xhtml%3Arepository.streamFile%28%27%27%29&cid=179406 Running `sha1 /path/to/chain/file` should return "C62FE90D242CA64F1FFD82BFCAAC1AEF41BDD21D". – Chris S Jun 11 '13 at 14:35
OK, I've updated the chain directive to point to the correct file (gdig2.crt) and I've verified the sha1 hash and I've restarted the server, and I STILL get the same error from ssllabs.com/ssltest argh. Chrome is reporting the proper intermediate cert though, what the heck is going on? – jemminger Jun 11 '13 at 16:08
You cleared the cache on SSL labs to be sure you're actually retesting? Chrome has many intermediate certificates built-in, for misconfigured servers. If SSL labs still reports a problem you must have another SSLCertificateChainFile directive somewhere in your configuration. The stock `httpd.conf` in many Linux distros comes with a lot of weird stuff. Running `httpd -S` will dump the whole configuration as Apache sees it; running it through a `grep -i chain` might reveal what's going on. – Chris S Jun 11 '13 at 16:47
Yep, was clearing the cache each time. So I finally found it: using httpd -S showed me that there was a _default_ 443 host, although there were no SSLCertificateChainFile rules other than my one. I remembered having trouble with another SSL server that was using *:443 for the vhost which was resolved by using the IP address. I changed this vhost to use the server's IP, and now it's reporting OK all the way through. Thanks for your help! – jemminger Jun 11 '13 at 17:45
let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/9202/discussion-between-jemminger-and-chris-s) – jemminger Jun 11 '13 at 17:53

score 0 · Answer 2 · edited Apr 13 '17 at 12:13

Your server is not properly configured to send the required intermediate certificate. See this answer for a more detailed description of why this is a problem, and why you (or even some SSL verifiers) may not notice it during testing.

The missing certificate in your case is http://certificates.godaddy.com/repository/gdig2.crt.

The SSL Labs online test shows this problem as a warning (and, BTW, finds several other problems with your server configuration).

score -1 · Answer 3 · answered Dec 03 '14 at 04:28

I have the same trouble, when I see the site with Android the page show an error of the certificate. I test the page with https://www.sslshopper.com/ssl-checker.html and the chain is broken, after a few tests I use this certificate http://certificates.godaddy.com/repository/gdig2.crt like intermediate certificate for this property SSLCertificateChainFile. All my hosts are configurated with and And this works perfect.

score -1 · Answer 4 · answered Jul 17 '17 at 08:04

-1

The problem took me hours of work. Had a wildcard certificate from Global Sign; see www.unfallkassesachsn.de. My mistake: configured SSL ... File in vhosts.d. After doing this in ssl-global.conf I'd got an A from Qualys.

answered Jul 17 '17 at 08:04

Peter Wicke

1
1

SSL chain verification problems

4 Answers4