Generated certificates do not include full certificate chain

  • Hello,
    I recently tried to curl my website with a LetsEncryptv2 certificate generated by the ACME package but I got the following error:

    curl: (60) SSL certificate problem: unable to get local issuer certificate===group

    I mitigated this error by adding the LetsEncrypt intermediate authority in my system CA bundle but I think it would be a good idea to deliver the full chain in the certificate.

    Did I missed something ?

    Kind regards

  • Rebel Alliance Developer Netgate

    It works fine with the GUI set to use the cert as-is, and I've used it with haproxy and others without needing to change what it outputs.

    Could be a problem with your client, or if you generated the cert on pfSense but exported it for use elsewhere, perhaps something was missed.

  • Hello Jimp,

    I wouldn't say that the certificate isn't working since all my browsers are able to rebuild the full certificate chain. The problem is that some SSL client (as you stated) required that servers provide the full certificate chain, which is not the case with the ACME generated certificates.

    May we have a button in the certificate setup to include intermediate CA's in the final certificate ?

    Let me know if you need more insight.

  • Rebel Alliance Developer Netgate

    And I'm saying I can't replicate the error here with any client, even cURL. It all works fine as-is.

    * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
    * ALPN, server accepted to use h2
    * Server certificate:
    *  subject: CN=<my hostname>
    *  start date: Jun 14 06:18:12 2018 GMT
    *  expire date: Sep 12 06:18:12 2018 GMT
    *  subjectAltName: host "<my hostname>" matched cert's "<my hostname>"
    *  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
    *  SSL certificate verify ok.

    The CA that signed my ACME cert is: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
    The ACME CA on pfSense is: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
    The ACME CA was signed by O=Digital Signature Trust Co., CN=DST Root CA X3

    Connecting to the GUI I am already served the ACME cert and the ACME intermediate CA.

    $ openssl s_client -showcerts -connect <my hostname>:443
    depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
    verify return:1
    depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    verify return:1
    depth=0 CN = <my hostname>
    verify return:1
    Certificate chain
     0 s:/CN=<my hostname>
       i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    -----END CERTIFICATE-----
     1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
       i:/O=Digital Signature Trust Co./CN=DST Root CA X3
    -----END CERTIFICATE-----
    Server certificate
    subject=/CN=<my hostname>
    issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    No client certificate CA names sent
    Peer signing digest: SHA512
    Server Temp Key: ECDH, P-256, 256 bits
    SSL handshake has read 3239 bytes and written 302 bytes
    Verification: OK

    I'd still look at your client to find the problem. I don't see what else we could possibly include beyond what we have done already.

  • When I'm typing the same command than you I only have the first certificate which is displayed, meaning that the delivered certificate does NOT contains the full chain, which is your case.

    The LetsEncrypt intermediate authority is not installed on fresh Debian 9 installs, which is the reason why I got the error.

    So I don't understand what's going wrong.

  • Rebel Alliance Developer Netgate

    What service are you attempting to connect to that is not sending the full chain? Is it the GUI, or some other package?

  • I'm trying to reach a website hosted behing a Squid Reverse-Proxy configured to use this certificate.

  • Rebel Alliance Developer Netgate

    Then it's probably a bug in the Squid Reverse Proxy function and not ACME or pfSense in general.

    Use HAProxy instead and you'll be much better off. I don't believe anyone is currently maintaining the squid reverse proxy function.

  • Ok jimp I will try HAproxy tonight, hope it will provided me the feature I was looking for in Squid, even it is very buggy.

  • Ok worked fine with HAProxy. I would suggest you to drop the Squid packages since many features are deprecated or not working properly :)
    Thank you for all your amazing stuff.

Log in to reply