Mailing List Archive

Hitch SSL chain issues with Google Chrome
Hello there,

I use hitch as an SSL terminator in front of varnish.
I get my SSL certificates via letsencrypt

this is what i get via the letsencrypt ACME client

cert-1504079018.csr
cert-1504079018.pem
cert.csr -> cert-1504079018.csr
cert-1504079018.pem
chain-1504079018.pem
chain.pem -> chain-1504079018.pem
fullchain-1504079018.pem
fullchain.pem -> fullchain-1504079018.pem
privkey-1504079018.pem
privkey.pem -> privkey-1504079018.pem

to prepare the certificates for hitch I run a small script which merges
the certificates into 1 file

#!/bin/bash

for d in /etc/dehydrated/certs/*; do
  if [ -d "$d" ]; then
    # echo "$d"
    cat "$d"/cert.pem "$d"/privkey.pem "$d"/chain.pem
"$d"/fullchain.pem > /etc/hitch/certs/$(basename "$d").pem
  fi
done

then in hitch config I reference the .pem file

pem-file = "/etc/hitch/certs/physiotherapie-neustadt-aisch.de.pem"

so ... if i open the website in firefox all is fine

https://physiotherapie-neustadt-aisch.de/

if I open in Google Chrome it's not working.

So i did a bit of search on google and found out it's a chain issue and
chrome seems to be a bit more sensitive than firefox

https://www.ssllabs.com/ssltest/analyze.html?d=physiotherapie-neustadt-aisch.de

on ssllabs.com it also states chain issues, incorrect order, extra certs ...

how would i fix this? I assume it has something to do with the way I
merge the certificates into 1 .pem file

any help would be awesome ;)

thanks & greetings
becki


--
Beckspaced - Server Administration
------------------------------------------------
Ralf Flederer
Marienplatz 9
97353 Wiesentheid
Tel.: 09383-9033825
Mobil: 01577-7258912
Internet: www.beckspaced.com
------------------------------------------------

_______________________________________________
varnish-misc mailing list
varnish-misc@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
RE: Hitch SSL chain issues with Google Chrome [ In reply to ]
Just do cert + chain + privkey, in that order.

--

With kind regards,


Angelo Höngens

Systems Administrator

------------------------------------------
NetMatch
travel technology solutions

Professor Donderstraat 46
5017 HL Tilburg
T: +31 (0)13 5811088
F: +31 (0)13 5821239

mailto:A.Hongens@netmatch.nl
http://www.netmatch.nl
------------------------------------------
Disclaimer

Deze e-mail is vertrouwelijk en uitsluitend bedoeld voor geadresseerde(n) en de organisatie van geadresseerde(n) en mag niet openbaar worden gemaakt aan derde partijen This e-mail is confidential and may not be disclosed to third parties since this e-mail is only intended for the addressee and the organization the addressee represents.


-----Original Message-----
From: varnish-misc [mailto:varnish-misc-bounces+a.hongens=netmatch.nl@varnish-cache.org] On Behalf Of Admin Beckspaced
Sent: Wednesday, 18 October, 2017 11:59
To: varnish-misc@varnish-cache.org
Subject: Hitch SSL chain issues with Google Chrome

Hello there,

I use hitch as an SSL terminator in front of varnish.
I get my SSL certificates via letsencrypt

this is what i get via the letsencrypt ACME client

cert-1504079018.csr
cert-1504079018.pem
cert.csr -> cert-1504079018.csr
cert-1504079018.pem
chain-1504079018.pem
chain.pem -> chain-1504079018.pem
fullchain-1504079018.pem
fullchain.pem -> fullchain-1504079018.pem
privkey-1504079018.pem
privkey.pem -> privkey-1504079018.pem

to prepare the certificates for hitch I run a small script which merges
the certificates into 1 file

#!/bin/bash

for d in /etc/dehydrated/certs/*; do
  if [ -d "$d" ]; then
    # echo "$d"
    cat "$d"/cert.pem "$d"/privkey.pem "$d"/chain.pem
"$d"/fullchain.pem > /etc/hitch/certs/$(basename "$d").pem
  fi
done

then in hitch config I reference the .pem file

pem-file = "/etc/hitch/certs/physiotherapie-neustadt-aisch.de.pem"

so ... if i open the website in firefox all is fine

https://physiotherapie-neustadt-aisch.de/

if I open in Google Chrome it's not working.

So i did a bit of search on google and found out it's a chain issue and
chrome seems to be a bit more sensitive than firefox

https://www.ssllabs.com/ssltest/analyze.html?d=physiotherapie-neustadt-aisch.de

on ssllabs.com it also states chain issues, incorrect order, extra certs ...

how would i fix this? I assume it has something to do with the way I
merge the certificates into 1 .pem file

any help would be awesome ;)

thanks & greetings
becki


--
Beckspaced - Server Administration
------------------------------------------------
Ralf Flederer
Marienplatz 9
97353 Wiesentheid
Tel.: 09383-9033825
Mobil: 01577-7258912
Internet: www.beckspaced.com
------------------------------------------------

_______________________________________________
varnish-misc mailing list
varnish-misc@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
_______________________________________________
varnish-misc mailing list
varnish-misc@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
Re: Hitch SSL chain issues with Google Chrome [ In reply to ]
On 18.10.2017 12:54, Angelo Höngens wrote:
> Just do cert + chain + privkey, in that order.
>
Thanks ;)

re-merging the certs in that order solved the issue.

Greetings
Becki

_______________________________________________
varnish-misc mailing list
varnish-misc@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
Re: Hitch SSL chain issues with Google Chrome [ In reply to ]
Hello,

I'm surprising, that we need to keep an order to merge all files. In my
case I contact like this and never get a problem :

cat /etc/letsencrypt/live/example.org/privkey.pem \
/etc/letsencrypt/live/example.org/fullchain.pem \
/etc/ssl/certs/dhparam.pem \ > /etc/hitch/example.org.pem

chmod 0600 /etc/hitch/example.org.pem

I think it was because you tried to merge the chain and fullchain



*Nicolas Delmas*
http://tutoandco.colas-delmas.fr/ <colas.delmas@gmail.com>







2017-10-18 17:13 GMT+02:00 Admin Beckspaced <admin@beckspaced.com>:

>
> On 18.10.2017 12:54, Angelo Höngens wrote:
>
>> Just do cert + chain + privkey, in that order.
>>
>> Thanks ;)
>
> re-merging the certs in that order solved the issue.
>
> Greetings
> Becki
>
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc@varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>
Re: Hitch SSL chain issues with Google Chrome [ In reply to ]
Chain order needs to be followed per RFC. While not all browsers may care,
quite a few payment gateways do.

On Wed, Oct 18, 2017 at 11:15 AM, Nicolas Delmas <colas.delmas@gmail.com>
wrote:

> Hello,
>
> I'm surprising, that we need to keep an order to merge all files. In my
> case I contact like this and never get a problem :
>
> cat /etc/letsencrypt/live/example.org/privkey.pem \
> /etc/letsencrypt/live/example.org/fullchain.pem \
> /etc/ssl/certs/dhparam.pem \ > /etc/hitch/example.org.pem
>
> chmod 0600 /etc/hitch/example.org.pem
>
> I think it was because you tried to merge the chain and fullchain
>
>
>
> *Nicolas Delmas*
> http://tutoandco.colas-delmas.fr/ <colas.delmas@gmail.com>
>
>
>
>
>
>
>
> 2017-10-18 17:13 GMT+02:00 Admin Beckspaced <admin@beckspaced.com>:
>
>>
>> On 18.10.2017 12:54, Angelo Höngens wrote:
>>
>>> Just do cert + chain + privkey, in that order.
>>>
>>> Thanks ;)
>>
>> re-merging the certs in that order solved the issue.
>>
>> Greetings
>> Becki
>>
>>
>> _______________________________________________
>> varnish-misc mailing list
>> varnish-misc@varnish-cache.org
>> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>>
>
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc@varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>