Let’s Encrypt – Mysterious Authority Issues

Lately, new sites I’ve created using my ISPConfig automation and letsencrypt.sh┬áhave been received inconsistently on various browsers – the issue appears to be particularly prevalent on OSX.

Doing some digging revealed a possible incomplete chain issue to be the cause.

Sure enough, modifying my Apache conf to incorporate a direct link to the intermediate chain fixed the issue.

My LE-ISPConfig Apache conf now looks like this:

Alias "/.well-known/acme-challenge/" /var/le-ispconfig/
<Directory /var/le-ispconfig>
  Require all granted
</Directory>
<IfModule mod_headers.c>
  <LocationMatch "/.well-known/acme-challenge/*">
    Header set Content-Type "text/plain"
  </LocationMatch>
</IfModule>
SSLCertificateChainFile /path/to/intermediate/chain.pem

That little line at the bottom was what made the difference; chain.pem (a symlink to my primary domain’s intermediate cert chain) will be updated as and when keys and site certs are updated via cron.

I post this here as my errors were a little more vague until I was able to track down the issue as an incomplete certificate chain error.

Minor Update

The default installation of Apache 2 on Ubuntu seems to include support for older, insecure ciphers. So while we’re munging config files, check your ssl.conf mod and see if you need to restrict cipher support with something like this:

#Enable only secure ciphers:
#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
#Default above. Possible alternative below:
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

 

Leave a Reply

Your email address will not be published.