According to https://www.digicert.com/help/, my certificate for https://sqless.ddns.net (my Apache XAMPP REST web service) isn't trusted because
SSL Certificate is not trusted
The certificate is not signed by a trusted authority (checking against
Mozilla's root store). If you bought the certificate from a trusted
authority, you probably just need to install one or more Intermediate
certificates. Contact your certificate provider for assistance doing
this for your server platform.
This is strange because both Google and Firefox display the green padlock as well as a "Secure" on Chrome.
I used this tutorial in order to set up SSL on my server.
These are my Virtual Hosts in C:\xampp\apache\conf\extra\httpd-vhosts.conf
.
<VirtualHost *:80>
ServerAdmin myemail@email.com
ServerName sqless.ddns.net
RewriteEngine On
# Redirect to the HTTPS site
RewriteCond %{HTTPS} off
RewriteRule ^/?(.*)$ https://sqless.ddns.net/$1 [NE,L,R=301]
</VirtualHost>
<VirtualHost *:443>
ServerAdmin myemail@email.com
ServerName sqless.ddns.net
RewriteEngine On
# Redirect to the correct domain name
RewriteCond %{HTTP_HOST} !^sqless.ddns.net$ [NC]
RewriteRule ^/?(.*)$ https://sqless.ddns.net/$1 [NE,L,R=301]
Alias /.well-known C:/xampp/htdocs/.well-known
SSLEngine on
SSLCertificateFile "C:/Users/Morgan/AppData/Roaming/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/sqless.ddns.net-crt.pem"
SSLCertificateKeyFile "C:/Users/Morgan/AppData/Roaming/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/sqless.ddns.net-key.pem"
SSLCertificateChainFile "C:/Users/Morgan/AppData/Roaming/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/sqless.ddns.net-crt.pem"
</VirtualHost>
I used version 1.8.0 of Win-Acme located here: https://github.com/PKISharp/win-acme/releases
Am I missing something?
Best Answer
See this report more detailed: https://www.ssllabs.com/ssltest/analyze.html?d=sqless.ddns.net which shows "This server's certificate chain is incomplete. Grade capped to B.".
Notably the "Extra download" part in the "Certification Paths". Your server needs to send the intermediate CA. Which means
SSLCertificateChainFile
can not just be the same content as the one inSSLCertificateFile
.Have a look again at the tutorial you quote, you will see it shows this difference which you did not respect. You can find the CA intermediate certificates on their page: https://letsencrypt.org/certificates/
So in your
SSLCertificateChainFile
you need, in order, the intermediary certificate, and then the CA one. As you can see from the SSLLabs results, your final certificate was generated by "Let's Encrypt X3" (intermediate CA) which is itself signed by "DST Root CA X3". If you go to https://letsencrypt.org/certificates/ you can find both of them.You need to put them together in a file, just one after the other. You should arrive at this content then: