How to add the Root Certificate to the chain
-
When using the certificate either through HAproxy or for the "WebConfiguration for pfSense" , only the cert and R3 intermediate are returned to the client. The ISRG Root X1 cert is not returned. i.e. only 2 certs in the chain are returned when running the command: openssl s_client -showcerts -connect myHost:MyPort but openssl s_client -showcerts -connect shop.bbc.com:443 returns 3 certs. Similar if looking at the pages through Firefox on the desktop.
How can I configure the Acme client to put all 3 certs in the chain?
The reason this is an issue is because the Samsung Android browser wont load the page unless I first goto a site that has the root cert. Most recently I had to use https://shop.bbc.com.
Thanks in advance.
-
johnpoz LAYER 8 Global Moderatorlast edited by johnpoz Jun 21, 2023, 10:31 PM Jun 21, 2023, 10:28 PM
@rainmakers99_1 not seeing this.. running haproxy 0.7.4 package
ash-4.4# openssl s_client -showcerts -connect overseerr.snipped.tld:443 CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = overseerr.snipped.tld verify return:1 --- Certificate chain 0 s:CN = overseerr.snipped.tld i:C = US, O = Let's Encrypt, CN = R3 -----BEGIN CERTIFICATE----- MIIEeTCCA2GgAwIBAgISAy/wlx0VeNdy7MasuMlgMXWIMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD <snipped> f3GCqxYB7VjcmcDqbPMIvM8JKOH2BxLDnwuZUnDyQ1Uqk/0/4DCZJX48hXUK5aN/ 57JVAeK0ztxWV0syfCVotX0n+sqs4BVKojx71e06jUmECOdP5p3W0Ka9y5t1gIAK f1CpjOjLdxXSyE4IKVknSkZs3N0GTVEkdeje/rcllAtr2Y84894xFcZGNIUf -----END CERTIFICATE----- 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 -----BEGIN CERTIFICATE----- MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw <snipped> hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX nLRbwHOoq7hHwg== -----END CERTIFICATE----- 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1 i:O = Digital Signature Trust Co., CN = DST Root CA X3 -----BEGIN CERTIFICATE----- MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB <snipped> WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 -----END CERTIFICATE-----