ISPConfig 3.2: SSLCertificateChainFile missing after Upgrade

Discussion in 'Installation/Configuration' started by CorSch, Oct 22, 2020.

  1. CorSch

    CorSch New Member

    After Upgrading ISPConfig from 3.1.15 to 3.2 the "SSLCertificateChainFile" parameter is missing from the apache client vhosts.
    System is Running on Ubuntu 18.04 with Apache Webserver.

    Does anyone have the same issue?
    You can test via https://www.ssllabs.com/ssltest/
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Are you using a custom vhost.conf.master? is SSL enabled? is there a bundle cert for that domain?
     
  3. CorSch

    CorSch New Member

    Thank you for the quick response.
    My vhost.conf.master is the same as in the ISPConfig-3.2.tar.gz

    0d9c0fbac7bac0f706ffbbe6a83e9685 /usr/local/ispconfig/server/conf/vhost.conf.master
    0d9c0fbac7bac0f706ffbbe6a83e9685 ./ispconfig3_install/server/conf/vhost.conf.master

    SSL is enabled and the bundle file is present in the folder.
    I've added the "SSLCertificateChainFile" parameter config to all .vhost files manually.
     
    Last edited: Oct 25, 2020
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You should not do that, as changes will be overwritten the next time you change the config through ISPConfig.

    Is SSL enabled and is there a bundle cert present?
     
  5. CorSch

    CorSch New Member

    Yes SSL is enabled an the bundle cert is present.

    I know that it will be overwritten, but it is at least a workaround for this issue.
     
  6. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  7. CorSch

    CorSch New Member

    I'm running the most recent Version of Apache2 on Ubunut 18.04
    # apache2 -v
    Server version: Apache/2.4.29 (Ubuntu)
    Server built: 2020-08-12T21:33:2

    You can test on https://www.ssllabs.com/ssltest/
    Without the option you'll get an "Incomplete Certificate Chain" error, and the grade will be capped to "B".
    After adding the option, you will receive an "A+" rating.

    If you remove "SSLCertificateChainFile", the bundle cert has to be included in the site cert.
    "
    SSLCertificateChainFile is deprecated
    SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.

    "
     
  8. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I have no errors without SSLCertificateChainFile in my vhost, A+ on ssllabs.com/ssltest. Can't test for your domain because I don't have it ;) Running Apache/2.4.38

    Have you checked that the SSL cert is correctly set up in the SSL tab?
     
  9. CorSch

    CorSch New Member

    The Certficates are from "Let's Encrypt"
    But your tip got the solution for me, I had to recreate the certificates by disabling and reenabling SSL on der admin site.

    Is there a way to Bulk Update the certs?
     
  10. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You could disable Let's Encrypt/SSL for all sites through the database, run a resync under Tools -> Resync -> Websites, then enable it again, and run a resync again.
     

Share This Page