We are currently experiencing an issue with verifying a Comodo SSL certificate on an Ubuntu AWS cluster. Browsers are displaying the site/content fine and showing all the relevant certificate information (at least, all the ones we've checked), but certain network proxies and the online SSL checkers are showing we have an incomplete chain.
We have tried the following to try to resolve this:
- Upgraded haproxy to the latest 1.5.3
- Created a concatenated ".pem" file containing all the certificate (site, intermediate, w/ and w/out root)
- Added an explicit "ca-file" attribute to the "bind" line in our haproxy.cfg file.
The ".pem" file verifies OK using openssl. The various intermediate and root certificates are installed and showing in /etc/ssl/certs. But the checks still come back with an incomplete chain.
Can anyone advise about anything else we can check or any other changes we can make to try to fix this?
Many thanks in advance…
UPDATE: The only relevant line from the haproxy.cfg (I believe), is this one:
bind *:443 ssl crt /etc/ssl/domainaname.com.pem
UPDATE 2: Output from openssl s_client
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = COMODO SSL, CN = www.domainname.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = COMODO SSL, CN = www.domainname.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = COMODO SSL, CN = www.domainname.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=COMODO SSL/CN=www.domainname.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO SSL CA
The following are the contents of www.domainname.com.pem (being referenced in the haproxy config).
Bag Attributes
localKeyID: 01 00 00 00
friendlyName: www.domainname.com
subject=/OU=Domain Control Validated/OU=COMODO SSL/CN=www.domainname.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO SSL CA
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
-----BEGIN INTERMEDIATE CERTIFICATE-----
[...]
-----END INTERMEDIATE CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----
Best Answer
Correct order to include intermediate certificates:
-----BEGIN PRIVATE KEY----- [Your private key] -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- [Your certificate] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [Intermidate#1 certificate] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [Intermidate#2 certificate] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [Root certificate] -----END CERTIFICATE-----awk 1 ORS='\\n' ~/your_path/cert.pemcopy string
and paste to
docker-compose.ymllike that:proxy: image: tutum/haproxy ports: - "80:80" - "443:443" environment: - "DEFAULT_SSL_CERT=-----BEGIN PRIVATE KEY-----\nMIIEvQIBADA......" links: - webappIt's work for me.