Hitch SSL chain issues with Google Chrome

Angelo Höngens A.Hongens at netmatch.nl
Wed Oct 18 10:54:21 UTC 2017 

Just do cert + chain + privkey, in that order. 

-- 
 
With kind regards,
 
 
Angelo Höngens
 
Systems Administrator
 
------------------------------------------
NetMatch
travel technology solutions

Professor Donderstraat 46
5017 HL Tilburg
T: +31 (0)13 5811088
F: +31 (0)13 5821239
 
mailto:A.Hongens at netmatch.nl
http://www.netmatch.nl
------------------------------------------
Disclaimer
 
Deze e-mail is vertrouwelijk en uitsluitend bedoeld voor geadresseerde(n) en de organisatie van geadresseerde(n) en mag niet openbaar worden gemaakt aan derde partijen This e-mail is confidential and may not be disclosed to third parties since this e-mail is only intended for the addressee and the organization the addressee represents.


-----Original Message-----
From: varnish-misc [mailto:varnish-misc-bounces+a.hongens=netmatch.nl at varnish-cache.org] On Behalf Of Admin Beckspaced
Sent: Wednesday, 18 October, 2017 11:59
To: varnish-misc at varnish-cache.org
Subject: Hitch SSL chain issues with Google Chrome

Hello there,

I use hitch as an SSL terminator in front of varnish.
I get my SSL certificates via letsencrypt

this is what i get via the letsencrypt ACME client

cert-1504079018.csr
cert-1504079018.pem
cert.csr -> cert-1504079018.csr
cert-1504079018.pem
chain-1504079018.pem
chain.pem -> chain-1504079018.pem
fullchain-1504079018.pem
fullchain.pem -> fullchain-1504079018.pem
privkey-1504079018.pem
privkey.pem -> privkey-1504079018.pem

to prepare the certificates for hitch I run a small script which merges 
the certificates into 1 file

#!/bin/bash

for d in /etc/dehydrated/certs/*; do
   if [ -d "$d" ]; then
     # echo "$d"
     cat "$d"/cert.pem "$d"/privkey.pem "$d"/chain.pem 
"$d"/fullchain.pem > /etc/hitch/certs/$(basename "$d").pem
   fi
done

then in hitch config I reference the .pem file

pem-file = "/etc/hitch/certs/physiotherapie-neustadt-aisch.de.pem"

so ... if i open the website in firefox all is fine

https://physiotherapie-neustadt-aisch.de/

if I open in Google Chrome it's not working.

So i did a bit of search on google and found out it's a chain issue and 
chrome seems to be a bit more sensitive than firefox

https://www.ssllabs.com/ssltest/analyze.html?d=physiotherapie-neustadt-aisch.de

on ssllabs.com it also states chain issues, incorrect order, extra certs ...

how would i fix this? I assume it has something to do with the way I 
merge the certificates into 1 .pem file

any help would be awesome ;)

thanks & greetings
becki


-- 
Beckspaced - Server Administration
------------------------------------------------
Ralf Flederer
Marienplatz 9
97353 Wiesentheid
Tel.: 09383-9033825
Mobil: 01577-7258912
Internet: www.beckspaced.com
------------------------------------------------

_______________________________________________
varnish-misc mailing list
varnish-misc at varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc

More information about the varnish-misc mailing list