Login/Register
SSL: Servers certificate chain is incomplete
Asked Answered
node.jssslnginxcertificatepci-compliance
R

2

6

I bought a PositiveSSL Wildcard from https://www.ssls.com/

I have received 3 files a .ca-bundle a .crt and a .p7b.

I configured the certificates with NGINX but I'm getting an error:

"Servers certificate chain is incomplete"

https://www.ssllabs.com/ssltest/analyze.html?d=api.billgun.com

How can I fix this?

Rackrent answered 14/11, 2017 at 16:2 Comment(2)
Have you included the CA bundle in the file pointed to by your server's ssl_certificate directive?Bushel
"I configured the certificates with NGINX but I'm getting an error" - it would be more helpful if you not only mention the error you got an that you've configured the certificates in NGINX but also how you've configured the certificates. Because the wrong how is probably the problem.Philoctetes
G
5

There is a tool to automate the procedure of producing a bundle of correctly chained certificates. https://github.com/zakjan/cert-chain-resolver (I'm the author.)

Usage:

cert-chain-resolver -o domain.bundle.pem domain.pem
  • domain.pem is your input certificate
  • domain.bundle.pem is the certificate bundle, that you can use in your web server configuration
Grivet answered 27/4, 2021 at 6:45 Comment(0)
C
4

Servers certificate chain is incomplete

means you don't have intermediate certificates, certificates have expired or are in wrong order.

It looks like you don't have any intermediate certificates: https://www.sslshopper.com/ssl-checker.html#hostname=https://api.billgun.com/.

When you open your site in a browser you will get green padlock because browsers can download missing intermediate certificates but other tools won't be able to connect ie. curl:

curl -I 'https://api.billgun.com/'
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

or openssl:

openssl s_client -connect api.billgun.com:443
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.billgun.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.billgun.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.billgun.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA     Domain Validation Secure Server CA
---

The fastest way to generate correct chain is to:

  • open your site in a browser
  • click on green padlock and display certificate properties
  • export every certificate in the chain (in your case, you should get 3 files: -billguncom.crt, COMODORSADomainValidationSecureServerCA.crt, COMODORSACertificationAuthority.crt)

  • combine the files in order from leaf to root cert:

    cat -- -billguncom.crt COMODORSADomainValidationSecureServerCA.crt COMODORSACertificationAuthority.crt > billgun_com.crt

  • install new cert on server

  • test nginx cofiguration nginx -t
  • restart server service nginx restart
Caribou answered 14/11, 2017 at 17:55 Comment(2)
I tried the "fastest way" grabbed the three files from the browser, combined, didn't work for me. nginx says x509 certificate routines:X509_check_private_key:key values mismatchSpalato
@Spalato Did you combine them in the correct order? And does the cert work in a browser?Caribou

© 2022 - 2024 — McMap. All rights reserved.