SSL for Apache doesn't send the correct intermediate cert [#2475455]

When configuring a site to use encryption on Aegir, it adds two lines in the vhost for the SSL certificate:

    SSLCertificateFile /var/aegir/config/server_master/ssl.d/site.tld/openssl.crt
    SSLCertificateKeyFile /var/aegir/config/server_master/ssl.d/site.tld/openssl.key

With this combo, Apache doesn't know what intermediate CA file to send with the certificate. This means that certificates don't verify cleanly.

If I'm not mistaken, the certificate files get their intermediate CA appended automatically, so the fix should be simple -- to add one line in each vhost that fetches the chain certificate from the same file as the cert itself:

    SSLCertificateChainFile /var/aegir/config/server_master/ssl.d/site.tld/openssl.crt

Comments

Comment #1

helmo CreditAttribution: helmo at Initfour websolutions commented 22 April 2015 at 14:13

Project:	Hostmaster (Aegir)	» Hosting
Issue tags:		+aegir-ssl

Such a line is already being included in http/Provision/Config/Apache/Ssl/vhost_ssl.tpl.php based on the ssl_chain_cert variable.

If you add a file called 'openssl_chain.crt' next to the other certificate files it should be picked up automatically.

Comment #2

22 April 2015 at 14:14

helmo committed 5d938dc on 7.x-3.x

Issue #2475455: Document the place for am intermediate certificate.

Comment #3

helmo CreditAttribution: helmo at Initfour websolutions commented 22 April 2015 at 14:14

Status:

Active

» Fixed

Comment #4

anarcat CreditAttribution: anarcat commented 22 April 2015 at 15:11

Status:

Fixed

» Closed (fixed)

wow, duh, okay, sorry for the noise. :)

SSL for Apache doesn't send the correct intermediate cert

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community