Configuring an intermediate SSL cert on Apache Tomcat

Question

I have a website that's using a Let's Encrypt SSL wildcard certificate which is working great. I now want to take this certificate and install it in another server I'm using.

My other server is running Tomcat on AWS. I've extracted the Base-64 encoded cert, private key and intermediate cert from the first server and installed them here. SSL is working but I have a small problem. If I test my site with some of the SSL testing webapps they say that "You have an invalid or missing intermediate (bundle) certificate.".

I'm not sure how to diagnose or correct the problem, although I've tried many things. I have a VirtualHost where I properly configured SSLCertificateFile and SSLCertificateKeyFile. I tried creating a SSLCertificateChainFile but that failed to even start my server because this directive is obsolete. Then I tried to concatenate the intermediate cert into my server cert (I've done this with and without the root cert). SSL will work here, but I still get the missing intermediate file problem. Looking at the error log I see nothing.

Any ideas on how to diagnose and fix this problem? I know that configuring this should be straight forward, but I can't get it to completely work.

Additional Info:

The output of running openssl looks like this:

[ec2-user@ip-172-31-9-168 ~]$ openssl s_client -connect localhost:443 -showcerts
CONNECTED(00000003)
depth=0 CN = *.routercheck.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.routercheck.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = *.routercheck.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=*.routercheck.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIGHTCCBQWgAwIBAgISA9b5buv7A7jbvwsOA18kT5qXMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA0MTYxOTE3NDJaFw0x
ODA3MTUxOTE3NDJaMBwxGjAYBgNVBAMMESoucm91dGVyY2hlY2suY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu4P+E9y7yU8yOFduoQBCKe7ZnWLN
ISzB/0jmreFu/Y1ZhzCrs+ZOGw9P/jq+He71Bzea+wRkwbwDpQs0emEXhK5f4nLm
msQ8yxB7Z3Rh+T/BJmzTgnuD2UUqBozSpue+hJcwAfBqNTo3vpyMhyIUbbAjIHtv
7jxMuXDx3eCrZVL6dD3qRUXRwAtT1Bz/ue07F4XoBagbLWAiWIiGPPdzbH/21qEf
b7TsZEedbLSexldZtH4SWv3aPa02XXnzEvKsALIBDOB+aG3Z93LnWKSdnxxqUGpl
+cgCUbQ8H25+uGUK7KQ2TS7OhDJRXRiHfeRbfGjPhJsVZ7DXLuvaYLCg6QIDAQAB
o4IDKTCCAyUwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSBjUKUkJFTPg1HQs4lpZTD
KDik9DAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcB
AQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlw
dC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlw
dC5vcmcvMC0GA1UdEQQmMCSCESoucm91dGVyY2hlY2suY29tgg9yb3V0ZXJjaGVj
ay5jb20wgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHW
MCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYB
BQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1
cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdp
dGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNl
bmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1
ANt0r+7LKeyx/so+cW0s5bmquzb3hHGDx12dTze2H79kAAABYtAbJMAAAAQDAEYw
RAIgBWvnf3mcCyNfcIHWNN3n5haNLpttZ5+HMpwBhvjGzj0CIGUfB/b1eE+2kNSY
2yc8iOaeje/HNYuDcgCCHP+YBwAkAHYAKTxRllTIOWW6qlD8WAfUt2+/WHopctyk
wwz05UVH9HgAAAFi0Bsk4AAABAMARzBFAiBLKmEApnrAjDyLR0tnwN4lNo0VObns
8x7a7JdnyQq3XgIhAJ3/QLr+swiqa001j6CsVguTDdDgwTY3KabBwRf9w+DXMA0G
CSqGSIb3DQEBCwUAA4IBAQBTLIU1rVhw+r+irfr+Cq20Nbar+OOAaMiEb/0oUBCm
znnBxbntuJ/h3nJbeoW5VrLcX1xGW50jox09/t/VKhXKwJ1zhtJtdkFcImiAQsDK
j/ioT5YLzxf6VVo6AG8at9ADXBdI1WfeRjrC1xA+2KmmQDTUhhPjfn6oHzDjsgPZ
20AGlXpiabQWUxibjGYHNUazs4BgPfWwHCxPPqGo2afwPX2gs54UaiJShGG6VeL6
qnpxgRjzfho8gdLazLpckPoPKoTuiUR03nJvXV1oDaMmShN+IeRxky/KqTNeKOPc
MRJIKbDsau7CxCRnWjn/XJWwZSDQHhkQJ3hGLtQKjswL
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=*.routercheck.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-

My cert file has my server cert AND the Let's Encrypt intermediate cert in the file. My server cert is first followed by the intermediate.

I do not include the root cert because all of the documentation I found said this is unnecessary. I did try to include it, but it didn't help.

Answer 1

Simply copy the cert, the private key, and the CA cert is not enough. This is due to the fact that during the certificate issuance, Let's Encrypt uses Certbot to automate the process which would have modified your default Apache configurations. If not, the Certbot webroot plugins would have created additional configuration files for itself in order for the certificate to work.

Check the /etc/letsencrypt/live/yourdomain.com directory on your original server. It contains all the necessary symlinks and subdirectories for the Certbot to work. Copy those to your AWS server for it to work. Check this post on the Let's Encrypt community.

The best way will be using a new cert for your site on AWS as it will most likely save your time.

If you are looking for wildcard certificates that can be copy over several different servers without modifying additional configurations, I will suggest using the ones provided by Cloudflare.