SSL: CHAIN PROBLEMS! >> GoDaddy + Apache 2.4.23 on WINDOWS 2012 R2

apache-2.4certificategodaddysslssl-certificate

Good afternoon all,

I'm totally stuck. Don't know how to follow, and what I'm doing wrong anymore. I hope you could help me with this, as I've read alot to solve the thing, but without success…

I've:

Windows 2012 R2 server
Apache 2.4.23 mounted on it, with MOD_JK to proxypass all requests to a Tomcat server on another machine.

I've bought an EXTENDED certificate on GoDaddy, so I can have the "green badge" on URL bar.

Now, I've downloaded the certificate from GoDaddy, and inside de ZIP, comes the propper certificate and a G2+G1+ROOT bundle one. So 2 files inside.

Placed them on a folder, and correctly specified inside the 443 VHOST as you next will see, but every SSL test I do on internet (SSLLabs, DigiCert…), it simply fails on the chaining process.

Site: cliente.merchbanc.es

https://www.ssllabs.com/ssltest/analyze.html?d=cliente.merchbanc.es&hideResults=on

https://www.sslshopper.com/ssl-checker.html#hostname=cliente.merchbanc.es

Don't know what I'm doing wrong…
I've let the HTTPD.CONF prepared as it comes (with the proper and needed modules uncommented, of course), but without anything related with VHOSTS and SSL. And then, on the extra conf file VHOST, I've added all the VHOST thing + SSL (so I'm no using the SSL conf file. It is commented. All is on the VHOSTS conf file.).

It looks like this:

##################################################################################################################
# VHOSTS HTTP

# redirect all HTTP to HTTPS (optional)
<VirtualHost *:80>

    ServerAlias *
    RewriteEngine On
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]

</VirtualHost>

##################################################################################################################
# VHOSTS HTTPS

Listen 443

# modern configuration, tweak to your needs
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLProxyProtocol        all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLProxyCipherSuite     ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder     on
SSLCompression          off
SSLSessionTickets       off

SSLPassPhraseDialog     builtin

SSLSessionCache        "shmcb:c:/lala/lele/ssl_scache(512000)"
SSLSessionCacheTimeout  300

# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling                      on
SSLStaplingResponderTimeout         5
SSLStaplingReturnResponderErrors    off
SSLStaplingCache                    "shmcb:c:/lala/lele/ocsp(128000)"

<VirtualHost *:443>

    SSLEngine on
    SSLCertificateFile "blah/blahblah/cliente.merchbanc.es/123412341234.crt"
    SSLCertificateKeyFile "blah/blahblah/cliente.merchbanc.es/123412341324.key"
    #SSLCertificateChainFile "blah/blahblah/cliente.merchbanc.es/gd_bundle-g2-g1.crt"
    SSLCACertificatePath "blah/blahblah/cliente.merchbanc.es/GoDaddy_G2"

    # Uncomment the following directive when using client certificate authentication
    #SSLCACertificateFile    /path/to/ca_certs_for_client_authentication

    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"

    ...
    ... follows with the ProxyPassing part, but not the case now.
    ...

</VirtualHost>

Following the GoDaddy installation instructions webpage, I've changed the SSLCertificateChainFile directive, to the SSLCACertificatePath directive, as I'm using Apache on 2.4.23 version. But it does not solve anything.

After that, I've decided to download ALL the G2 certificates from here:
https://certs.godaddy.com/repository

and put'em all inside the folder specified on the SSLCACertificatePath path: "blah/blahblah/cliente.merchbanc.es/GoDaddy_G2". But doesn't works too.

And finally, as I'm in Windows, I've decided to go certificate, after certificate, double-clicking em, and installing on the server, having them now inside the "Internet Options > Content > Certificates", all spread on the various existing tabs. And as common, doesn't makes a change at all.

Every time of course, restarting Apache and even after installing on Windows the certificates, restarting the server itself too.

So, what now?
Hope you can help me, please.

Thanks and kind regards.

Mark.

Best Answer

You need to uncomment the line for the Certificate Chain File

#SSLCertificateChainFile "blah/blahblah/cliente.merchbanc.es/gd_bundle-g2-g1.crt"

Should be:

SSLCertificateChainFile "blah/blahblah/cliente.merchbanc.es/gd_bundle-g2-g1.crt"

Related Solutions

SSL Certificates – Will Older Browsers Use RSA if a Certificate is Signed for ECDSA

Have a look at this Q/A over on Information Security SE:

Is possible that a TLS server send more than one certificate to the client for the same site?

Strictly speaking, the server can send an arbitrary number of certificates to the client, as part of its Certificate message. However, as the standard says:

The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it.

Therefore, a really compliant server cannot send a choice of certificates to the client, and cannot expect clients to use any other certificate than the first one they send.

For signature algorithm support, there is a standard TLS extension specified in section 7.4.1.4.1, by which the client can tell to the server, early in the handshake (in the ClientHello, which is the very first message of the procedure), which hash functions and signature algorithms it supports. This allows a server who owns, for instance, both a RSA-signed certificate and an ECDSA-signed certificate, to send one or the other, depending on what the client supports. This is typical of how things go in TLS: the client suggests, the server chooses.

(In practice, support for this extension is not yet widespread. But, also in practice, everybody uses RSA and supports RSA.)

Nginx – OCSP validation – unable to get local issuer certificate

Those two errors was unrelated although the error message was same.

[...]SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 [...] Start Time: 1411583991 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate)

Above error was issued openssl_client command. As explained by Florian Heigl, you get this error because the openssl_client need the Globalsign Root cert in /etc/ssl/certs.

OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:unable to get local issuer certificate) while requesting certificate status, responder: gv.symcd.com

For this error, it was issued by nginx ocsp routine, especially when you add ssl_stapling_verify on; line in nginx.conf.

Here some excerpt from the documentation of ssl_stapling_verify to explain why it throws the error

Syntax: ssl_stapling_verify on | off;

Enables or disables verification of OCSP responses by the server.

For verification to work, the certificate of the server certificate issuer, the root certificate, and all intermediate certificates should be configured as trusted using the ssl_trusted_certificate directive.

In other words, you need provide (2) Intermediate CA Bundle (RapidSSL SHA256 CA - G3) and (3) Intermediate CA Bundle (GeoTrust Global CA) to ssl_trusted_certificate directive.

cat GeoTrustGlobalCA.crt rapidsslG3.crt > ocsp-chain.crt

and add ocsp-chain.crt to ssl_trusted_certificate directive.

Best Answer

Related Solutions

SSL Certificates – Will Older Browsers Use RSA if a Certificate is Signed for ECDSA

Nginx – OCSP validation – unable to get local issuer certificate

Related Topic