Search
Search

SSL Labs: Incorrect Order, Extra Certs

John Deverall Published at Dev
70
John Deverall

I'm getting an error "Chain issues: Incorrect order, Extra certs" from https://www.ssllabs.com/ssltest/analyze.html?d=api.quotecrunchers.com when I test the SSL for my website.

I've built the https mechanism into a spring boot application using the following:

  1. The acme4j library to communicate with the Let's Encrypt CA.

  2. Java code to write the Let's Encrypt certificate to a java keystore.

  3. Java code to cause the embedded Tomcat server to apply for a certificate from Let's Encrypt over HTTP and then restart using HTTPS once it has the certificate.

I'm planning on open sourcing this code once I've got it tidied up.

Currently though, I'm only achieving a B rating using ssllabs.com

See https://www.ssllabs.com/ssltest/analyze.html?d=api.quotecrunchers.com

There are several issues with my https, but the issue I am concerned about is where it says "Chain issues: Incorrect order, Extra certs".

Why am I getting this, and what should I be doing instead?

Any help is greatly appreciated!

Patrick Mevzek

When one connects to your site, here is what is sent by it as seen by openssl s_client:

Certificate chain
 0 s:/CN=api.quotecrunchers.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/CN=api.quotecrunchers.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 2 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

As you can see the first certificate is duplicated which is exactly the reason of the rating and error message.

When you configure a TLS server you specify typically on one end the end (server) certificate, that is one certificate, and it would appear in position 0 in a trace like above, and then you (optionnally, but very frequently) provide a potential list of chained certificates, called "intermediate" that links your end certificate to some root (CA) certificate, the CA certificate itself may be the last one in the chain or be skipped altogether.

That would have been in position 1 and later in the trace above.

But as you can see, at position 1, hence as intermediate certificate, we find again your end certificate.

This is not correct per the TLS standard so you need to change your configuration or the file containing the intermediate certificates to remove your end certificate from this spot, so that you finally manage to get:

Certificate chain
 0 s:/CN=api.quotecrunchers.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at
0

Comments

0 comments
Login to comment

Related

SSL certificate: incorrect order

Free SSL CERTS in GCE

Tornado SSL certs

Nginx load balancer SSL certs

pg_restore using ssl certs

ChromeDriver opens sites only with valid SSL certs

some SSL certs in chromium aren't working

Upsource - PKIX path SSL certs issue

Wildfly - Allow connections to SSL sites without certs

How to specify JVM SSL arguments for embedded certs?

Configure CA certs for SSL API call

How does `curl` access SSL certs in macOS?

SSL certs with AWS SSM Parameter Store

GKE Loadbalancer how to add SSL Certs

Python SSL requests and Let's Encrypt certs

SSL Certs for Plex Media Server using Letstencrypt

Adding SSL certs to NGINX docker container

How to restore my certificates at /etc/ssl/certs?

nodejs environment variable "NODE_EXTRA_CA_CERTS"

Is there anything like certbot (auto-renewal) for paid SSL certs?

SSL Handshaking Using Self-Signed Certs and SSLEngine (JSSE)

What is the recommended way to update SSL certs in a Nginx cluster behind HAProxy?

How to tell Maven to disregard SSL errors (and trusting all certs)?

what is my openssl and ssl Default CA Certs Path?

How to configure multiple SSL certs on Apache virtual host with aliases?

Does OkHttp support accepting self-signed SSL certs?

Loading certificates into ssl with certs store, not file path; with python

Jetty: How to validate SSL client certs in application code?

Dockerfile for Docker hub- including repo files (ssl certs) in commands

TOP Ranking

  1. 1

    Loopback Error: connect ECONNREFUSED 127.0.0.1:3306 (MAMP)

  2. 2

    Can't pre-populate phone number and message body in SMS link on iPhones when SMS app is not running in the background

  3. 3

    pump.io port in URL

  4. 4

    How to import an asset in swift using Bundle.main.path() in a react-native native module

  5. 5

    Failed to listen on localhost:8000 (reason: Cannot assign requested address)

  6. 6

    Spring Boot JPA PostgreSQL Web App - Internal Authentication Error

  7. 7

    Emulator wrong screen resolution in Android Studio 1.3

  8. 8

    3D Touch Peek Swipe Like Mail

  9. 9

    Double spacing in rmarkdown pdf

  10. 10

    Svchost high CPU from Microsoft.BingWeather app errors

  11. 11

    How to how increase/decrease compared to adjacent cell

  12. 12

    Using Response.Redirect with Friendly URLS in ASP.NET

  13. 13

    java.lang.NullPointerException: Cannot read the array length because "<local3>" is null

  14. 14

    BigQuery - concatenate ignoring NULL

  15. 15

    How to fix "pickle_module.load(f, **pickle_load_args) _pickle.UnpicklingError: invalid load key, '<'" using YOLOv3?

  16. 16

    ngClass error (Can't bind ngClass since it isn't a known property of div) in Angular 11.0.3

  17. 17

    Can a 32-bit antivirus program protect you from 64-bit threats

  18. 18

    Make a B+ Tree concurrent thread safe

  19. 19

    Bootstrap 5 Static Modal Still Closes when I Click Outside

  20. 20

    Vector input in shiny R and then use it

  21. 21

    Assembly definition can't resolve namespaces from external packages

HotTag

Archive