Apache SSL "Unable get local issuer certificate" on Debian - apache

I'm using RapidSSL with apache2 (2.2.22-13+deb7u6). I got three files from rapidssl - public.crt, private.key and rapid_intermediate.crt.
My public.crt looks like
-----BEGIN CERTIFICATE-----
MIIErjCCA5agAwIBAgIDBthaMA0GCSqSAwHgYDVQQDExdSYXBpZFNTTCBTSEEy
NTYgQ0EgLSBHMzAeFw0xNTA5MTAwMDU0NTJaFw0xNjA5MTExNTM1NTNaMIGTMRMw
EQYDVQQLEwpHVDM5ODg2NjMwMTEwLwYDVQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNv
bS9yZXNvdXJjZXMvY3BzIChjKTE1MS8wLQYDVQQLEyZLm1lbG9tYXAuY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvDo9jDb+k/dHqp7FW7dW
V9+W6a1Ut3OKC3wCulac+WG2roxZukuA42LQ4fAY/BDtBkk2UQ5IyFpFzmCiXjBu
...
-----END CERTIFICATE-----
My private.key looks like
-----BEGIN RSA PRIVATE KEY-----
MdddddIBAAKCAQEAvDo9jDb+k/dHqp7FW7dddddddddPvuSy2aEJcHbt2kb6UI
ddddddd7dWVQ84DlVPvuSy2aEJcHbt2kb6UIdddddddddAKCAQEAvDMIIEowIB
...
-----END RSA PRIVATE KEY-----
My RapidSSL intermediate looks like
-----BEGIN CERTIFICATE-----
MIIEZZZZZZZgAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYSSSSSSS1HZW9UcnVzdCBJbmMuMRswGQYDVQQSSSSSZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTQwODI5MjEzOTMyWhcNMjIwNTIwMjEzOTMyWjBHMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXUmFwaWRTU0wg
...
-----END CERTIFICATE-----
In my apache config,
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/crt/public.crt
SSLCertificateKeyFile /etc/apache2/ssl/private/private.key
SSLCertificateChainFile /etc/apache2/ssl/crt/rapid_intermediate.crt
However, I'm still getting the following errors.
unable to get local issuer certificate
certificate not trusted
unable to verify the first certificate
Please let me know what I did wrong.
Thank you.

Check the chain order, sometimes the chain is unsorted or need an additional certificate in chain, if you server is public you can use sslchecker.com to check

Related

apache 2 ssl configuration

I received the following three sections from RapidSSL
Web Server CERTIFICATE
-----------------
-----BEGIN CERTIFICATE-----
BLABLABLA 1
-----END CERTIFICATE-----
INTERMEDIATE CA:
---------------------------------------
-----BEGIN CERTIFICATE-----
BLABLABLA 2
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
BLABLABLA 3
-----END CERTIFICATE-----
how i can create the 3 files for configure apache like:
SSLCertificateFile /etc/httpd/conf/ssl.crt/your_leaf_certificate.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/your_domain_name.key
SSLCACertificatePath /etc/httpd/conf/ssl.chain/your_intermediate_chain.crt
im expecting to find this
-----BEGIN RSA PRIVATE KEY-----
but can't find it :(
The problem that you have is that you will have to download from CertCentral the certificate bundle. You will have to login into digicert.com, and get your certificates. Click Certificates > Click orders > select order > download cert.
After you download the certificate, you can use this tool called Utility Tool For Windows Tool
After that, you can import your cert into that tool, and you will be able to export it to be able to get a pem file with your key as an individual file.
If you purchased this certificate through a third-party vendor, I will recommend you to get a new CSR and send it to them to make sure they can reissue your certificate.

Comodo Essentials SSL: Vestacp "SSL intermediate chain is not valid"

I'm trying to install Comodo Essential SSL via Vestacp here's that I did. I opened www_example_com.crt and copied the digest and pasted it into SSL Certificate box then opened www_example_com.key used to generate the ssl at the beginning which starts with -----BEGIN PRIVATE KEY----- and pasted the digest into SSL Key box then copied the digest of the other 3 files in this order into one file and copied the whole digest and pasted it into SSL Certificate Authority / Intermediate box but I get SSL intermediate chain is not valid
AddTrustExternalCARoot.crt
USERTrustRSAAddTrustCA.crt
SectigoRSADomainValidationSecureServerCA.crt
Final digest looks like this
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
I checked the certificate and the key and have no issue using https://www.sslshopper.com/certificate-key-matcher.html
I restored a back up so the key file doesn't exist on the server now does it matter? It's the first time I try to install SSL so please assist. Thanks in advance.
The Authority digest must be the content of these files in this order
SectigoRSADomainValidationSecureServerCA.crt
AddTrustExternalCARoot.crt
USERTrustRSAAddTrustCA.crt

Multiple SSL Cert Bundles?

My company is wanting to utilize two different types of SSL certificates for our website: one that is using RSA, and one that is ECDSA. The reason is because external services that utilize our site are using code that is very old, so we need to have both for compatibility.
EDIT: We're using Apache 2.4, and both certificates are from the same authority. As such, the Root CAs below are the same, but the intermediates are different because of the RSA/ECDSA difference.
Our Apache config would be as follows:
### RSA cert
SSLCertificateFile /etc/ssl/certs/website_com_rsa.crt
SSLCertificateKeyFile /etc/ssl/private/website_com_rsa.key
### ECDSA cert for compatibility
SSLCertificateFile /etc/ssl/certs/website_com_ecdsa.crt
SSLCertificateKeyFile /etc/ssl/private/website_com_ecdsa.key
### RSA/ECDSA cert bundle
SSLCertificateChainFile /etc/ssl/certs/website_com.ca-bundle
The part I'm not sure about is the CA bundle. My questions are:
Can I use two different SSLCertificateChainFile directives, one for each type (RSA and ECDSA)?
If I can't, then how to combine CA bundles from two different certificate bundles into one file? Say I had two CA bundles files that have the order like so:
RSA Bundle
-----BEGIN CERTIFICATE-----
...
<rsa-intermediate-1>
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
<rsa-intermediate-2>
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
<root-ca>
...
-----END CERTIFICATE-----
ECDSA Bundle
-----BEGIN CERTIFICATE-----
...
<ecdsa-intermediate-1>
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
<ecdsa-intermediate-2>
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
<root-ca>
...
-----END CERTIFICATE-----
In what order should they be combined?
From the Apache 2.4 docs for SSLCertificateChainFile, it looks like you would provide the separate chains in the files configured with SSLCertificateFile, i.e. combining the server certificate with its corresponding certificate chain, in the same file.
For example, your /etc/ssl/certs/website_com_rsa.crt might contain multiple certificate, from the server cert up through the root:
-----BEGIN CERTIFICATE-----
...
<website-com-rsa>
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
<rsa-intermediate-1>
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
<rsa-intermediate-2>
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
<root-ca>
...
-----END CERTIFICATE-----
And similarly for your /etc/ssl/certs/website_com_ecdsa.crt file. This would mean not using SSLCertificateChainFile.
Hope this helps!

haproxy: inconsistencies between private key and certificate loaded from PEM file

I am trying to use certificate signed for another server. I have both private key and certificate.
My PEM file order is :
subject=/C=***/L=*****/O=**********/CN=*********
issuer=/C=***/O=*****Inc/CN=********Secure Server CA
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=/C=US/O=******** Inc/CN=********* SHA2 Secure Server CA
issuer=/C=US/O=********* Inc/OU=*********/CN=******** Global Root CA
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=/C=US/O=********* Inc/OU=***********/CN=*********** Global Root CA
issuer=/C=US/O=********* Inc/OU=************/CN=******** Global Root CA
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
When i tried to deploy it to my haproxy, i got this error.
[ALERT] 188/141626 (2322) : parsing [/etc/haproxy/haproxy.cfg:32] : 'bind *:443' : inconsistencies between private key and certificate loaded from PEM file ................
[ALERT] 188/141626 (2322) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 188/141626 (2322) : Proxy 'www-https': no SSL certificate specified for bind '*:443' at [/etc/haproxy/haproxy.cfg:32] (use 'crt').
[ALERT] 188/141626 (2322) : Fatal errors found in configuration.
Errors in configuration file, check with haproxy check.
And my haproxy version is:
HA-Proxy version 1.5.2 2014/07/12
Copyright 2000-2014 Willy Tarreau <w#1wt.eu>
I can start my haproxy with self-signed cert. Why does occur this inconsistency? I am sure that private key belongs to certificate.
I'm trying for hours now but I can not find the reason.
Please help! Thank you!
The order of the certificates in your file is wrong. It seems you are putting the intermediate certificate (i.e. Secure Server CA) first which is thus expected to be the server certificate. The order of the certificates needs to be:
server certificate
server private key (without any password)
intermediate certificate 1
intermediate certificate 2
It's actually not that important where you put the private key. However, the order of the certificates strictly needs to be ordered from leaf to root, i.e. first the server certificate, then the intermediate, then it's parent. Basically, you put the server certificate first, then its signer, then its signer, ...
For more information, please refer to the documentation.

Install a trusted P7B certificate on Apache

I have received a p7b file from a bank which should be a signed certificate, as a response to a csr file that I have sent.
I have manged to extract a pem certificate with the following command:
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crt
The certificate.crt file that I extracted has the following structure:
subject=/C=MK/ST=// ......
issuer=/CN=XXX
-----BEGIN CERTIFICATE-----
.
.
.
-----END CERTIFICATE-----
subject=/CN=XXX
issuer=/CN=XXX
-----BEGIN CERTIFICATE-----
.
.
.
-----END CERTIFICATE-----
I am not an expert on SSL, but I assume that this is a certificate chain, since it has two certificates.
I have configured apache with the following directives:
SSLEngine on
SSLCertificateFile path/to/certs/certificate.crt
SSLCertificateChainFile path/to/certs/certificate.crt
SSLCertificateKeyFile path/to/certs/private.key
Apache serves this properly on https, but the browser does not recognize this as a signed certificate, and gives me that Untrusted connection screen.
Am I doing something wrong, or the certificate is not signed by a trusted authority... Is there a way to check if the certificate is signed properly?
You may use the SSL configuration checker if the certificate was installed properly, refer to the link below:
http://www.sslshopper.com/ssl-checker.html
or
https://sslcheck.globalsign.com/en_US
You may also use this link to check who issued the certificate and details of the certificate:
http://www.sslshopper.com/certificate-decoder.html