Custom certificate with intermediate and root

[Kerhold]

I'm having trouble adding our custom certificate including intermediate and root. I'm following the documentation with removing new lines and replacing with a space. It seems it is only recognizing the last certificate I'm adding while I'm following the standard approach of entity certificate + intermediate certificate + root certificate. Is this supported? If so, any advice on how to do it?

[ethanaobrien]

According to this (https://stackoverflow.com/a/32778101) you should be able to just add the root cert to the end of the cert

[ethanaobrien]

Btw @terreng can we replace the input fields with a textarea, so the text wraps instead of is all on one line

[terreng]

@ethanaobrien Done. It looks like this, it's still just one long line but now it wraps. Does this look OK or did you want me to make the \r\n be actual newlines?

[ethanaobrien]

Yeah, the \r\n should be actual newlines

[terreng]

Does it work if it saves as just \n?

[ethanaobrien]

It doesnt, the server needs line endings of \r\n. It shouldnt be hard to check if its in there or not

[terreng]

Done & committed to main.

@Kerhold You should be able to just include the chain of certs one after another. Let us know if this still doesn't work and I'll reopen the issue. Thanks!

[Kerhold]

Done & committed to main.

@Kerhold You should be able to just include the chain of certs one after another. Let us know if this still doesn't work and I'll reopen the issue. Thanks!

Well, this is exactly what I did, but there was message about key mismatch. I used the same private key and cert chain on nginx and it worked, but we prefer this web server. Since we had to regenerate certificate anyway, I will try one more time. I'm using Notepad++ to remove all CRNL and replace with space on the chain. Later i copy to the cert field. Is this the proper procedure?

[terreng]

I see our documentation says that you can use a space instead of \r\n. Could you try using \r\n anyway just in case the documentation is wrong?

In the next version we'll let you directly copy and paste without needing to do this step.

Since you mentioned an error about key mismatch, could you share the exact error message?

[Kerhold]

I will try also with \r\n, but I tried both - first replacing to space and later space to \r\n (of course keeping space in separators). I will send the message once I will try again. Thanks.

[Kerhold]

There might be something wrong with your HTTPS certificate and key. error:0b000074:X.509 certificate routines:OPENSSL_internal:KEY_VALUES_MISMATCH

Sorry for late response, but this is what I'm getting when using chain certificate.

[terreng]

@ethanaobrien Any ideas? Are you sure this isn't an issue on our side?

[ethanaobrien]

Are you sure this isn't an issue on our side?

That error tells me it isn't, though that's assuming that nodejs actually supports this. Did some research online and only found one person asking about it (which I linked in a previous message) so it wouldn't surprise me if nodejs just doesn't support this

@Kerhold have you tried loading your keys into any other server, such as xampp, Apache, lighttpd, etc?

[Kerhold]

Yes, as I had issues I installed nginx and I'm using the same files: private key and chain of certificates. They work ok. Please note that when I'm using just the certificate (without intermediate and root) and private key, there is no error. Once I add the second and a third certificate one after the other, I get the error of mismatch. I have tried reverse order (I know it is not correct) root + intermediate + certificate and there was no error, but in such a case it was like the server was not seeing the other two. That could mean that it is overwriting the previous entries and using only last one. I'm not skilled enough to check the code for that, but perhaps you could.

[ethanaobrien]

Neither am I skilled enough to check that code, that error leads into the nodejs http library which possibly doesnt support an intermediate certificate

[terreng]

@ethanaobrien Have we determined whether this is our issue or an issue with a dependency/node http?

[ethanaobrien]

As far as I can tell nodejs does not support this

[terreng]

@Kerhold Unfortunately I'm going to have to close this issue. Either you're doing something wrong, or it's an issue with nodejs. We weren't the ones to write the certificate-related code, we rely on nodejs for that.

It might be worth checking this thread on stack overflow to make sure that you're doing everything correctly: https://stackoverflow.com/a/73738493/6276471