Apache certificate chains

When I switched my main server to CentOS, described in an earlier post, one of the big pains was that I had to use CentOS 7, and there was a lot of software which had come a long way since CentOS 7, and I had to upgrade a log of things from upstream to get functionality that I had grown reliant upon.

I didn’t realize that Apache itself was one of those things that was sufficiently backwards in CentOS 7 that I would have trouble.

Ever since I move the server to CentOSdid that “upgrade”, I’ve been struggling with problems with the certificates not being honored. For the last few days I have been working pretty diligently to try to figure out this nagging problem, and today I finally figured it out. It is owing to an old Apache.

The problem manifests when a TLS connection is opened to a server on 443, and the server sends back the certificate. It is only sending back the server certificate, not any intermediate certificates in the chain. In my case there is a single intermediate issuer certificate below the root, and while the browser trusts the root, it still needs the intermediate certificate to validate the trust. But even though I have pointed the SSLCertificateFile at the letsencrypt fullchain.pem, and even though the fullchain.pem really, really truly has both the server cert and the intermediate issuer cert, only the server cert is sent. This is contrary to the whole point of the fullchain.pem, which is, of course to enable sending both to the client at the same time,

Today I found that the Apache documentation for the old (deprecated) SSLCertificateChainFile directives says:

SSLCertificateChainFile is deprecated

SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.

This was the hint I needed. The version of Apache that was installed with CentOS 7 was 2.4.6. Therefore, I need to add in an SSLCertificateChainFile directive pointing to the letsencrypt chain.pem file (which contains the certificate for the intermediate issuer), and change the SSLCertificateFile to point to the “naked” cert.pem file.

Once I did this, I started getting the intermediate cert, and my https connections stopped bitching about not being able to find the intermediate certificate.