Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

HTTP SSL with GoDaddy's certificate - This server's certificate chain is incomplete

Tags:

https

ssl

go

in general I got 3 files from GoDaddy:

  1. main Certificate file
  2. Server Private Key
  3. Bundle file

in configured all these files in my Go server in the following way:

cert, err := tls.LoadX509KeyPair("myalcoholist.pem","myalcoholist.key")
if err != nil {
    log.Fatalf("server: loadkeys: %s", err)

}
    pem, err := ioutil.ReadFile("cert/sf_bundle-g2-g1.crt")
    if err != nil {
        log.Fatalf("Failed to read client certificate authority: %v", err)
    }
    if !certpool.AppendCertsFromPEM(pem) {
        log.Fatalf("Can't parse client certificate authority")
    }
    tlsConfig := &tls.Config{
        ClientCAs:    certpool,
    Certificates: []tls.Certificate{cert},
    }

    srv := &http.Server{
    Addr: "myalcoholist.com:443",
    Handler: n,
    ReadTimeout: time.Duration(5) * time.Second,
    WriteTimeout: time.Duration(5) * time.Second,
    TLSConfig: tlsConfig,
}
err := srv.ListenAndServeTLS("cert/myalcoholist.pem","cert/myalcoholist.key")

The web server runs properly, it's currently published at https://myalcoholist.com:443.

I validated my SSL using https://www.ssllabs.com/ssltest/analyze.html?d=myalcoholist.com and it's response is This server's certificate chain is incomplete. Grade capped to B.

you can go to this link to see the all detailed result.

what am I missing?

like image 987
ufk Avatar asked Jul 03 '16 14:07

ufk


1 Answers

Following that thread, and from the net/http/#ListenAndServeTLS() doc:

If the certificate is signed by a certificate authority, the certFile should be the concatenation of the server's certificate, any intermediates, and the CA's certificate.

Try and make sure your cert/myalcoholist.pem includes the CA certificates as well.

That thread used:

myTLSConfig := &tls.Config{
    CipherSuites: []uint16{
        tls.TLS_RSA_WITH_RC4_128_SHA,
        tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
        tls.TLS_RSA_WITH_AES_128_CBC_SHA,
        tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},}
myTLSConfig.PreferServerCipherSuites = true
const myWebServerListenAddress = "0.0.0.0:5555"
myTLSWebServer := &http.Server{Addr: myWebServerListenAddress, TLSConfig: myTLSConfig, Handler: router}
if err = myTLSWebServer.ListenAndServeTLS("/home/loongson/webServerKeysV2/golangCertFile2", "/home/loongson/webServerKeysV2/adequatech.ca-comodoinstantssl-exported-privatekey-rsa-ForApache.key"); err != nil {
    panic(err)

}

Compared to my previous answer, adding a cipher suite is a good idea, but again, try and see if the certificate file passed to ListenAndServeTLS works better if it includes the CAs.


Sure enough, https://www.ssllabs.com/ssltest/analyze.html?d=myalcoholist.com reports grade A, with the warning: “Chain issues: Contains anchor”.
See "SSL/TLS: How to fix “Chain issues: Contains anchor”" to remove that warning, but this is not an error though:

RFC 2119: the server is allowed to include the root certificate (aka "trust anchor") in the chain, or omit it. Some servers include it

like image 168
VonC Avatar answered Sep 22 '22 07:09

VonC