I’m using Certbot on CentOs 7 to generate certificates, but my SSL test at https://www.ssllabs.com shows an additional, invalid self-signed certificate causing chain issues and dropping my rating to a B.
I tried commenting out the reference to this certificate, but the httpd service fails to restart if I do and there’s no error message provided in the journal:
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
How can I fix this chain issue? Can I remove this self-signed cert somehow?
Edit
Okay, it sounds like I’ve misunderstood what is causing the chain issue and it’s not the local certificate – it’s the "extra download" at step 2 in the certification path with the R3 issuer. Certbot doesn’t seem to be generating a certificate with a complete chain?
2
Answers
My ignorance on certificates aside, I believe the issue I'm experience is best described here: https://blog.devgenius.io/lets-encrypt-change-affects-openssl-1-0-x-and-centos-7-49bd66016af3
Since I'm running CentOs 7, I believe I need to use all three of these apache settings to include the proper intermediate certificates:
Certbot creates several files such that "cert.pem contains the server certificate by itself, and chain.pem contains the additional intermediate certificate or certificates" while "fullchain.pem [contains] … the server certificate … followed by any intermediates".
If you want the full chain (in Apache httpd), use the file named fullchain.
Note LE is currently providing by default a chain that bridges to the DST root which expired last week because this allows old Android clients to work — but it causes some old OpenSSL clients to fail; there are numerous Qs about this here and on other Stacks. You may wish to choose the ‘ISRG’ chain instead; see e.g. The SSL connection could not be established: System.Security.Authentication.AuthenticationException .