The SSL documentation sucks (especially with regard to file names)
torwag opened this issue · 6 comments
Hi,
after getting an lets encrypt certificate, I copied the files to the correct location.
It worked for firefox under linux.
However, under Android, I get constantly messages that the certificate is not trustful.
I checked with an online ssl-tool and it tells me that my server (the owncloud container) does not provide the entire chain.
"This server's certificate chain is incomplete"
Extra download Let's Encrypt Authority X1
Fingerprint SHA1: XXXXXXXXXXXXXXXXXXX
Pin SHA256: XXXXXXXXXXXXXXXXX=RSA 2048 bits (e 65537) / SHA256withRSA
Futhermore, I read that I would have to use the fullcert.pem. However, there is nothing like that.
Any ideas what to do now?
BTW. The filenames coming from Lets Encrypt and the filenames expected by owncloud are different. The wiki and readme just say copy the files from A to B, which is a bit misleading, since stupid peopple like me get confused since they can't find those files. Would be helpful to shortly mention which file need to be copied and renamed into which file.
Sorry for my poor documentation. I've got to fix that up for sure. Thanks for pointing that out. Here are the relevant file names. The order of the files is the same in both lists below.
Let's Encrypt fetches files named:
cert.pem
privkey.pem
chain.pem
Apache in my container is configured to look for files named:
server.crt
server.key
server.chain
I hope that helps.
Well no need to excuse. It is not like I paid a big amount cash .... I am very happy with the container and thus, I am happy if I can help to make it even better.
I checked again and it does still not work.
Further investigations showed that there is no value following lines in
/etc/httpd/conf/extra/httpd-ssl.conf
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
# ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile "/root/sslKeys/server.key"
#SSLCertificateKeyFile "/etc/httpd/conf/server-dsa.key"
#SSLCertificateKeyFile "/etc/httpd/conf/server-ecc.key"
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convenience.
#SSLCertificateChainFile "/etc/httpd/conf/server-ca.crt"
thus, SSLCertificateChainFile is not set
if I understand this correct, it should be
SSLCertificateChainFile "/root/sslKeys/server.chain"
Furthermore, the Lets Encrypt script returns a fullchain.pem file. If I read this correct, one could copy and rename fullchain.pem instead of chain.pem to server.chain, providing lets-encrypt intermediate keys to those clients which do not have an letsencrypt key.
On a second note, why not configure
/etc/httpd/conf/extra/httpd-ssl.conf thus, it takes the original filenames provide by the letsencrypt script. One point less to make mistakes and to create possible confusion.
Temporary adding
SSLCertificateChainFile "/root/sslKeys/server.chain"
seems to work
However, fullchain.pem seems not to be needed, since it possibly doubles the own sever key.
At least www.ssllabs.com claims
Certificates provided 3 (3752 bytes) Chain issues Incorrect order, Extra certs
which is only a warning and no error/problem
if I use chain.pem I get no more warnings anymore. 👍
Thus it seems, SSLCertificateChainFile "/root/sslKeys/server.chain" was really missing
@torwag, @greyltc, There is currently a bug in the docker-LAMP image that this docker image is built from. The setupApacheSSLScript.sh doesn't currently update the SSLCertificateChainFile line in http-ssl.conf (the sed replacement is missing quotes). I fixed it and submitted PR #4 to the docker-LAMP repo.
I think with a PR today this is all sorted out!