Bug: Deploy to apache - missing chain

BetaWayOfLife · June 28, 2024, 11:17am

Hi,

in the current version of certify the chain is missing if your deploy to apache.

Output filepath for cert → works as expected
Output filepath for key → works as expected
Output filepath for full chain → leaf cert is inside but the chain is missing
Output filepath for CA chain → creates an empty file

I don’t no the versions excactly, but with 6.0.13 it works and with 6.0.18 it isn’t working .

Thx.

webprofusion · June 29, 2024, 3:05am

Hi,

Can you check your source PFX file has the intermediates in the chain (using certutil or openssl)?

webprofusion · June 29, 2024, 3:22am

Systems may vary depending on Key Type (RSA or EC) and whether the system already trusts the CA root properly.

I can confirm in my own testing just now on a production server using Deploy to Apache, issuing from Let’s Encrypt:

cert.pem has leaf cert
privkey.pem has private key
fullchain.pem has leaf cert then intermediate cert (R11) in this case
chain.pem has R11 intermediate

So there is something different happening in the chain building for your PFX. The app would previously fail to renew certs on systems that didn’t have the CA root in the Computer Certificate trust store ( Trusted Certification Authorities) and a common problem on windows is broken windows updates or CA root cert downloads disabled or blocked.

Can you check your system has ISRG Root X1 issued by ISRG Root X1 (not by DST Root CA X3)?

BetaWayOfLife · July 30, 2024, 1:25pm

Yes, ISRG Root X1 is issued by ISRG Root X1
EC or RSA makes no difference.

BetaWayOfLife · July 30, 2024, 1:40pm

Where can i find my source PFX file?

webprofusion · July 30, 2024, 1:51pm

You can either export it using an Export Certificate task (as pfx) or you can find the current path under Certificate > Advanced > Actions , it will be under C:\ProgramData\certify\assets\

BetaWayOfLife · July 30, 2024, 2:00pm

Now i can see the difference, this was before the issue persists:

================ Zertifikat 0 ================
=========== Verschachtelungsebene 1 anfangen ==========
Element 0:
Seriennummer: 912b084acf0c18a753f6d62e25a75f5a
Aussteller: CN=ISRG Root X1, O=Internet Security Research Group, C=US
 Nicht vor: 04.09.2020 02:00
 Nicht nach: 15.09.2025 18:00
Antragsteller: CN=R3, O=Let's Encrypt, C=US
Kein Stammzertifikat
Zertifikathash(sha1): a053375bfe84e8b748782c7cee15827a6af5a405
----------  Verschachtelungsebene 1 beenden  ----------
Keine Informationen über den Schlüsselanbieter
Das Zertifikat und der private Schlüssel für die Entschlüsselung wurden nicht gefunden.

================ Zertifikat 1 ================
=========== Verschachtelungsebene 1 anfangen ==========
Element 1:
Seriennummer: 4001772137d4e942b8ee76aa3c640ab7
Aussteller: CN=DST Root CA X3, O=Digital Signature Trust Co.
 Nicht vor: 20.01.2021 21:14
 Nicht nach: 30.09.2024 20:14
Antragsteller: CN=ISRG Root X1, O=Internet Security Research Group, C=US
Kein Stammzertifikat
Zertifikathash(sha1): 933c6ddee95c9c41a40f9f50493d82be03ad87bf
----------  Verschachtelungsebene 1 beenden  ----------
Keine Informationen über den Schlüsselanbieter
Das Zertifikat und der private Schlüssel für die Entschlüsselung wurden nicht gefunden.

================ Zertifikat 2 ================
=========== Verschachtelungsebene 1 anfangen ==========
Element 2:
Seriennummer: 04e81b0a92d0ed25ecc4bc1187e19965c388
Aussteller: CN=R3, O=Let's Encrypt, C=US
 Nicht vor: 07.07.2023 12:54
 Nicht nach: 05.10.2023 12:54
Antragsteller: CN=xxxxxxxxxxxxxxxxx
Kein Stammzertifikat
Zertifikathash(sha1): xxxxxxxxxx
----------  Verschachtelungsebene 1 beenden  ----------
  Anbieter = Microsoft Enhanced Cryptographic Provider v1.0
Verschlüsselungstest wurde durchgeführt
CertUtil: -dump-Befehl wurde erfolgreich ausgeführt.

This is the pfx now (issue still persists):

================ Zertifikat 0 ================
=========== Verschachtelungsebene 1 anfangen ==========
Element 0:
Seriennummer: 8a7d3e13d62f30ef2386bd29076b34f8
Aussteller: CN=ISRG Root X1, O=Internet Security Research Group, C=US
 Nicht vor: 13.03.2024 02:00
 Nicht nach: 13.03.2027 01:59
Antragsteller: CN=R11, O=Let's Encrypt, C=US
Kein Stammzertifikat
Zertifikathash(sha1): 696db3af0dffc17e65c6a20d925c5a7bd24dec7e
----------  Verschachtelungsebene 1 beenden  ----------
Keine Informationen über den Schlüsselanbieter
Das Zertifikat und der private Schlüssel für die Entschlüsselung wurden nicht gefunden.

================ Zertifikat 1 ================
=========== Verschachtelungsebene 1 anfangen ==========
Element 1:
Seriennummer: 04bc35d00077042e962ee6377074390eaf81
Aussteller: CN=R11, O=Let's Encrypt, C=US
 Nicht vor: 30.07.2024 14:42
 Nicht nach: 28.10.2024 14:42
Antragsteller: CN=xxxxxxxxxxxxxxxxx
Kein Stammzertifikat
Zertifikathash(sha1):xxxxxxxxxxxxxxx
----------  Verschachtelungsebene 1 beenden  ----------
  Anbieter = Microsoft Enhanced Cryptographic Provider v1.0
Verschlüsselungstest wurde durchgeführt
CertUtil: -dump-Befehl wurde erfolgreich ausgeführt.

Between this two there was no certify version change, but i changed which fqdn is the primary for the cert.

webprofusion · July 31, 2024, 5:11am

Your previous chain was Leaf > R3 > ISRG Root X1 > DST Root CA X3

The current chain is leaf > R11 (or R10) > ISRG Root X1 (because Let’s Encrypt have updated their chain).

Something may be getting lost in translation but I can’t see a problem with the PFX.

Sorry, I can’t find a reason for this export problem and I’m unable to reproduce it on any of the machines I have. Which version of Windows are you running the app on and was it a fresh install of windows or an upgrade from an older version?