Let’s Encrypt – Mysterious Authority Issues

Lately, new sites I’ve created using my ISPConfig automation and letsencrypt.sh┬áhave been received inconsistently on various browsers – the issue appears to be particularly prevalent on OSX.

Doing some digging revealed a possible incomplete chain issue to be the cause.

Sure enough, modifying my Apache conf to incorporate a direct link to the intermediate chain fixed the issue.

My LE-ISPConfig Apache conf now looks like this:

That little line at the bottom was what made the difference; chain.pem (a symlink to my primary domain’s intermediate cert chain) will be updated as and when keys and site certs are updated via cron.

I post this here as my errors were a little more vague until I was able to track down the issue as an incomplete certificate chain error.

Minor Update

The default installation of Apache 2 on Ubuntu seems to include support for older, insecure ciphers. So while we’re munging config files, check your ssl.conf mod and see if you need to restrict cipher support with something like this:

 

Leave a Reply

Your email address will not be published. Required fields are marked *