Ssl – My SSL Certificate from LetsEncrypt isn’t trusted

apache-2.4sslxampp

According to https://www.digicert.com/help/, my certificate for https://sqless.ddns.net (my Apache XAMPP REST web service) isn't trusted because

SSL Certificate is not trusted

The certificate is not signed by a trusted authority (checking against
Mozilla's root store). If you bought the certificate from a trusted
authority, you probably just need to install one or more Intermediate
certificates. Contact your certificate provider for assistance doing
this for your server platform.

This is strange because both Google and Firefox display the green padlock as well as a "Secure" on Chrome.

I used this tutorial in order to set up SSL on my server.
These are my Virtual Hosts in C:\xampp\apache\conf\extra\httpd-vhosts.conf.

<VirtualHost *:80>
    ServerAdmin myemail@email.com
    ServerName sqless.ddns.net
    
    RewriteEngine On
    # Redirect to the HTTPS site
    RewriteCond %{HTTPS} off
    RewriteRule ^/?(.*)$ https://sqless.ddns.net/$1 [NE,L,R=301]
</VirtualHost>

<VirtualHost *:443>
    ServerAdmin myemail@email.com
    ServerName sqless.ddns.net
    
    RewriteEngine On
    # Redirect to the correct domain name
    RewriteCond %{HTTP_HOST} !^sqless.ddns.net$ [NC]
    RewriteRule ^/?(.*)$ https://sqless.ddns.net/$1 [NE,L,R=301]

    Alias /.well-known C:/xampp/htdocs/.well-known

    SSLEngine on
    SSLCertificateFile "C:/Users/Morgan/AppData/Roaming/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/sqless.ddns.net-crt.pem"
    SSLCertificateKeyFile "C:/Users/Morgan/AppData/Roaming/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/sqless.ddns.net-key.pem"
    SSLCertificateChainFile "C:/Users/Morgan/AppData/Roaming/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/sqless.ddns.net-crt.pem"
</VirtualHost>

I used version 1.8.0 of Win-Acme located here: https://github.com/PKISharp/win-acme/releases

Am I missing something?

Best Answer

See this report more detailed: https://www.ssllabs.com/ssltest/analyze.html?d=sqless.ddns.net which shows "This server's certificate chain is incomplete. Grade capped to B.".

Notably the "Extra download" part in the "Certification Paths". Your server needs to send the intermediate CA. Which means SSLCertificateChainFile can not just be the same content as the one in SSLCertificateFile.

Have a look again at the tutorial you quote, you will see it shows this difference which you did not respect. You can find the CA intermediate certificates on their page: https://letsencrypt.org/certificates/

So in your SSLCertificateChainFile you need, in order, the intermediary certificate, and then the CA one. As you can see from the SSLLabs results, your final certificate was generated by "Let's Encrypt X3" (intermediate CA) which is itself signed by "DST Root CA X3". If you go to https://letsencrypt.org/certificates/ you can find both of them.

You need to put them together in a file, just one after the other. You should arrive at this content then:

Best Answer

Related Solutions

Linux/Unix – SSL Certificate Location Guide

Ssl – Wildcard SSL certificate for second-level subdomain

Related Topic