The SSL documentation sucks (especially with regard to file names)

[torwag]

Hi, after getting an lets encrypt certificate, I copied the files to the correct location. It worked for firefox under linux. However, under Android, I get constantly messages that the certificate is not trustful. I checked with an online ssl-tool and it tells me that my server (the owncloud container) does not provide the entire chain.

"This server's certificate chain is incomplete" Extra download Let's Encrypt Authority X1 Fingerprint SHA1: XXXXXXXXXXXXXXXXXXX Pin SHA256: XXXXXXXXXXXXXXXXX=RSA 2048 bits (e 65537) / SHA256withRSA

Futhermore, I read that I would have to use the fullcert.pem. However, there is nothing like that. Any ideas what to do now?

BTW. The filenames coming from Lets Encrypt and the filenames expected by owncloud are different. The wiki and readme just say copy the files from A to B, which is a bit misleading, since stupid peopple like me get confused since they can't find those files. Would be helpful to shortly mention which file need to be copied and renamed into which file.

[greyltc]

Sorry for my poor documentation. I've got to fix that up for sure. Thanks for pointing that out. Here are the relevant file names. The order of the files is the same in both lists below.

Let's Encrypt fetches files named: cert.pem privkey.pem chain.pem

Apache in my container is configured to look for files named: server.crt server.key server.chain

I hope that helps.

[torwag]

Well no need to excuse. It is not like I paid a big amount cash .... I am very happy with the container and thus, I am happy if I can help to make it even better.

[torwag]

I checked again and it does still not work. Further investigations showed that there is no value following lines in /etc/httpd/conf/extra/httpd-ssl.conf

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
#   ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile "/root/sslKeys/server.key"
#SSLCertificateKeyFile "/etc/httpd/conf/server-dsa.key"
#SSLCertificateKeyFile "/etc/httpd/conf/server-ecc.key"

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convenience.
#SSLCertificateChainFile "/etc/httpd/conf/server-ca.crt"

thus, SSLCertificateChainFile is not set if I understand this correct, it should be SSLCertificateChainFile "/root/sslKeys/server.chain"

Furthermore, the Lets Encrypt script returns a fullchain.pem file. If I read this correct, one could copy and rename fullchain.pem instead of chain.pem to server.chain, providing lets-encrypt intermediate keys to those clients which do not have an letsencrypt key.

On a second note, why not configure /etc/httpd/conf/extra/httpd-ssl.conf thus, it takes the original filenames provide by the letsencrypt script. One point less to make mistakes and to create possible confusion.

[torwag]

Temporary adding SSLCertificateChainFile "/root/sslKeys/server.chain" seems to work

However, fullchain.pem seems not to be needed, since it possibly doubles the own sever key. At least www.ssllabs.com claims

Certificates provided 3 (3752 bytes) Chain issues Incorrect order, Extra certs which is only a warning and no error/problem

if I use chain.pem I get no more warnings anymore. :+1:

Thus it seems, SSLCertificateChainFile "/root/sslKeys/server.chain" was really missing

[dknell]

@torwag, @greyltc, There is currently a bug in the docker-LAMP image that this docker image is built from. The setupApacheSSLScript.sh doesn't currently update the SSLCertificateChainFile line in http-ssl.conf (the sed replacement is missing quotes). I fixed it and submitted PR #4 to the docker-LAMP repo.

[greyltc]

I think with a PR today this is all sorted out!