Join the community today
Register Now

SSL Letsencrypt iOS/Apple reporting SSL issues, SSL Labs test reports chain incomplete.

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by fly, Dec 17, 2021.

  1. fly

    fly Member

    57
    10
    8
    Jul 27, 2019
    Ratings:
    +16
    Local Time:
    5:30 AM
    Please fill in any relevant information that applies to you:
    • CentOS Version: CentOS 7 64bit
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: i.e. 1.21.4
    • PHP Version Installed: 7.4
    • MariaDB MySQL Version Installed: n/a
    • When was last time updated Centmin Mod code base ? : today
    • Persistent Config:
    Code:
    LETSENCRYPT_DETECT='y'
    
    MARCH_TARGETNATIVE='n'
    

    From internet readings, it seems there was some sort of Let's Encrypt intermediate cert changed in the last couple of months. I'm assuming this problem is related. SSL Labs reports that there is an extra download for R3. What am I missing in my NGINX SSL config so that's included?

    edit: As a sidenote, this thread took about 10 seconds to post, and then another 10 seconds to get to the edit screen to add this. Not complaining, just wanted to give you a heads up. ;)

     
  2. eva2000

    eva2000 Administrator Staff Member

    47,843
    10,916
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,956
    Local Time:
    8:30 PM
    Nginx 1.21.x
    MariaDB 10.x
    Might be, see Centmin Mod Managing Letsencrypt DST Root CA X3 Certificate Expiration On CentOS 7 - Centmin Mod Blog for all the details I gathered at the time :) #4 is probably fix for you though I'd make sure all listed fixes are done from my blog article.

    Might be related to https://www.cloudflarestatus.com/incidents/qz5m74q8q0jl

     
    Last edited: Dec 18, 2021
  3. fly

    fly Member

    57
    10
    8
    Jul 27, 2019
    Ratings:
    +16
    Local Time:
    5:30 AM
    I ran through those and SSL Labs still shows the chain is incomplete. Any other ideas?

    upload_2021-12-17_10-28-37.png
     
  4. eva2000

    eva2000 Administrator Staff Member

    47,843
    10,916
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,956
    Local Time:
    8:30 PM
    Nginx 1.21.x
    MariaDB 10.x
  5. fly

    fly Member

    57
    10
    8
    Jul 27, 2019
    Ratings:
    +16
    Local Time:
    5:30 AM
  6. eva2000

    eva2000 Administrator Staff Member

    47,843
    10,916
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,956
    Local Time:
    8:30 PM
    Nginx 1.21.x
    MariaDB 10.x
    Strange then as Centmin Mod's Letsencrypt routine wouldn't misconfigure that at all. Would help to have more info/details from SSLlab run at SSL Server Test (Powered by Qualys SSL Labs)
     
  7. eva2000

    eva2000 Administrator Staff Member

    47,843
    10,916
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,956
    Local Time:
    8:30 PM
    Nginx 1.21.x
    MariaDB 10.x
    When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

    what is output of these commands in ssh
    Code (Text):
    curl -Iv https://domain.com
    

    Code (Text):
    curl -Iv https://www.domain.com
    

    wrap output in CODE tags
     
  8. fly

    fly Member

    57
    10
    8
    Jul 27, 2019
    Ratings:
    +16
    Local Time:
    5:30 AM
    Apologies, but I don't have permission to post the domain, may I PM this info to you. Or would you prefer I just edit it?

    As usual, thank you so much for all the help.
     
  9. eva2000

    eva2000 Administrator Staff Member

    47,843
    10,916
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,956
    Local Time:
    8:30 PM
    Nginx 1.21.x
    MariaDB 10.x
    Yeah PM the info in that case
     
  10. fly

    fly Member

    57
    10
    8
    Jul 27, 2019
    Ratings:
    +16
    Local Time:
    5:30 AM
    If anyone else comes across this, as expected, @eva2000 figured it all out. For reasons I don't have immediate answers to, the NGINX crt.key.conf file was pointing to the certs in /root/.acme.sh/, rather than the correct location in /usr/local/nginx/conf/ssl/. Once I corrected that, everything worked perfectly.