Let's Encrypt ssl certificate send twice in TLS handshake
Question
when making a wireshark trace to check if my Let's Encrypt certificate is correctly offered by our server, I see that the same certificate is being send twice in TLS handshake when 'Server Hello Done'.
How can this occur ? How to correct ?
The certificate details is 2 times exactly the same :
Extra info requested : I trace this with wireshark by visiting a https-page of my Apache webserver (CentOS Linux release 7.4.1708 (Core)) with my Chrome browser on Fedora 25 client.
VirtualHost config :
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/letsencrypt/live/my.domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my.domain.tld/fullchain.pem
Don't know if it matters, but I also have a second VirtualHost with a different Let's Encrypt certificate :
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/letsencrypt/live/my2.domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my2.domain.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my2.domain.tld/fullchain.pem
1 answers
solution1
0 ACCPTED 2019-10-31 18:31:31
The Problem
This is caused by simultaneous config of SSLCertificateFile along with SSLCertificateChainFile .
From the mod_ssl documentation (Emphasis mine):
This directive sets the optional all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate. This starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate.
But if you check your fullchain.pem , you'll see that it includes the server certificate at the top, followed by the Let's Encrypt issuing CA. Apache is delivering the contents of SSLCertificateFile with the SSLCertificateChainFile concatenated after it. Since your server's certificate appears in both of them, it's duplicated in the final chain seen in the SSL handshake, just like you observed in Wireshark:
vhost.conf Sent To Client
+---------------+ +------------------+
| cert.pem |----------> |Server Certificate|
| | | + |
| + | +---> |Server Certificate|
| | | | + |
| fullchain.pem |----------> | CA Certificate |
+---------------+ +------------------+
The Fix
In modern Apache, don't use SSLCertificateChainFile directive anymore, and give fullchain.pem directly to SSLCertificateFile .
Again, from the mod_ssl documentation :
SSLCertificateChainFile is deprecated
SSLCertificateChainFilebecame obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.
So all you should need to do is change your vhost configuration from this:
SSLCertificateFile /etc/letsencrypt/live/my.domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my.domain.tld/fullchain.pem
To this:
SSLCertificateFile /etc/letsencrypt/live/my.domain.tld/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.tld/privkey.pem
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.