Dec 27 2016

Why isn’t the full certificate chain provided by my web server?

Category: Computer,LinuxTuxevara @ 18:23

Good question, simple answer though: Probably you’re still on Ubuntu 14.04 (Trusty) and thus your Apache version is too old (2.4.7) and does not provide the full certificate chain from the file specified as SSLCertificateFile. The nasty thing: It does not throw a warning nor an error; not on the console nor in the error.log.

Solution: Use the SSLCertificateChainFile option instead to point to the intermediate certificates of your CA.

But watch out when you update your server: SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.

Tags: , ,