4

I bought a PositiveSSL Wildcard from https://www.ssls.com/

I have received 3 files a .ca-bundle a .crt and a .p7b.

I configured the certificates with NGINX but I'm getting an error:

"Servers certificate chain is incomplete"

https://www.ssllabs.com/ssltest/analyze.html?d=api.billgun.com

How can I fix this?

mx0
  • 6,445
  • 12
  • 49
  • 54
Adam Halasz
  • 57,421
  • 66
  • 149
  • 213
  • 1
    Have you included the CA bundle in the file pointed to by your server's `ssl_certificate` directive? – Richard Smith Nov 14 '17 at 16:18
  • 1
    *"I configured the certificates with NGINX but I'm getting an error"* - it would be more helpful if you not only mention the error you got an **that** you've configured the certificates in NGINX but also **how** you've configured the certificates. Because the wrong how is probably the problem. – Steffen Ullrich Nov 14 '17 at 16:36

2 Answers2

3

Servers certificate chain is incomplete

means you don't have intermediate certificates, certificates have expired or are in wrong order.

It looks like you don't have any intermediate certificates: https://www.sslshopper.com/ssl-checker.html#hostname=https://api.billgun.com/.

When you open your site in a browser you will get green padlock because browsers can download missing intermediate certificates but other tools won't be able to connect ie. curl:

curl -I 'https://api.billgun.com/'
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

or openssl:

openssl s_client -connect api.billgun.com:443
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.billgun.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.billgun.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.billgun.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA     Domain Validation Secure Server CA
---

The fastest way to generate correct chain is to:

  • open your site in a browser
  • click on green padlock and display certificate properties
  • export every certificate in the chain (in your case, you should get 3 files: -billguncom.crt, COMODORSADomainValidationSecureServerCA.crt, COMODORSACertificationAuthority.crt)

  • combine the files in order from leaf to root cert:

    cat -- -billguncom.crt COMODORSADomainValidationSecureServerCA.crt COMODORSACertificationAuthority.crt > billgun_com.crt

  • install new cert on server

  • test nginx cofiguration nginx -t
  • restart server service nginx restart
mx0
  • 6,445
  • 12
  • 49
  • 54
  • I tried the "fastest way" grabbed the three files from the browser, combined, didn't work for me. nginx says x509 certificate routines:X509_check_private_key:key values mismatch – Gerry Feb 20 '23 at 18:24
  • @Gerry Did you combine them in the correct order? And does the cert work in a browser? – mx0 Feb 20 '23 at 20:52
3

There is a tool to automate the procedure of producing a bundle of correctly chained certificates. https://github.com/zakjan/cert-chain-resolver (I'm the author.)

Usage:

cert-chain-resolver -o domain.bundle.pem domain.pem
  • domain.pem is your input certificate
  • domain.bundle.pem is the certificate bundle, that you can use in your web server configuration
zakjan
  • 2,391
  • 1
  • 19
  • 29