Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Certificate chain is incomplete
#1
I am in the process of updating an old IW app to IW15 and in doing so I have done an ssl labs check and I am getting a B rating, I was hoping for an A, however it is better than the 'F' I was getting before updating.

The reason for the B rating is due to "Certificate chain is incomplete" I am running in an SA server mode, anyone able to advise how to fix this and get an A rating?  My cert is from Sectigo if that helps.  Perhaps I have made a mistake with the certificate I have purchased?

Also while I am here, how do I prevent my app from being put in an iFrame?

Cheers for any help.

David.
Reply
#2
I was just able to get an A+ rating on SSLLabs with my Sectigo cert but I am using http.sys not SA.  If you search this forum for 'cipher' there may be some settings that will get you to A+. 

For anyone using http.sys I disabled RC4, TLS1.0, and TLS1.1 to get the good rating using these PowerShell commands:


Code:
Disable-TlsCipherSuite -Name "TLS_RSA_WITH_RC4_128_SHA"
Disable-TlsCipherSuite -Name "TLS_RSA_WITH_RC4_128_MD5"

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' –PropertyType 'DWORD' -Name 'Enabled' -Value '0'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' –PropertyType 'DWORD' -Name 'DisabledByDefault' -Value '1'

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -PropertyType 'DWORD' -Name 'Enabled' -Value '0'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' –PropertyType 'DWORD' -Name 'DisabledByDefault' -Value '1'

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' –PropertyType 'DWORD' -Name 'Enabled' -Value '0'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' –PropertyType 'DWORD' -Name 'DisabledByDefault' -Value '1'

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -PropertyType 'DWORD' -Name 'Enabled' -Value '0'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' –PropertyType 'DWORD' -Name 'DisabledByDefault' -Value '1'
Reply
#3
(11-23-2022, 06:30 PM)MJS@mjs.us Wrote: Thanks for this MJS, as you say this is for http.sys so I do not think it works for SA in the same way.  I was able to sort out the cipher issue by adding a limited number of ciphers into the servercontroller->cipherlist and this got rid of the SSL lab weak cipher warning but I still have the B rating.

With your Sectigo cert, did you have to install the intermediate certificate into Windows? as I think this is what I am missing and why I get "Certificate Chain incomplete" so hoping that someone knows if it is possible in SA and how to do it.  I donlt know if it is maybe simply a case of me installing it into Windows and it will work with SA, doubt it is that eas though :-)

Thanks for your help though, might be an option to go http.sys in future.  I don't know much about it though, so need to read up on it.

David.
Quote:I was just able to get an A+ rating on SSLLabs with my Sectigo cert but I am using http.sys not SA.  If you search this forum for 'cipher' there may be some settings that will get you to A+. 

For anyone using http.sys I disabled RC4, TLS1.0, and TLS1.1 to get the good rating using these PowerShell commands:
Reply
#4
>>With your Sectigo cert, did you have to install the 
>>intermediate certificate into Windows? 

I got that one backwards, I use letsencrypt for IW and Sectigo for codesigning.  With SA it's all Indy and getting your PEM certs and root certs in order, it doesn't look at what's installed in Windows.  With http.sys it reads the certs from windows.  It took me about a half day to get http.sys running the first time and is quite simple after that.  I still use SA for local debugging then http.sys for production.  After going to http.sys the response times for me were 5X - 10X faster than SA, I was shocked at the increase.  And http.sys supports multiple domains on a single cert.

For "Certificate Chain incomplete" try this with OpenSSL:

openssl pkcs12 -in example.pfx -out example.pem -nodes
Reply
#5
Hi

Normally for Indy servers like SA, the root.pem file should contain all intermediate and root certificates to validate the certificate. 
Maybe your root.pem is not containing all those certificates to get a complete chain. That would explain the B-grade message.
Not sure if the order of the certificates in root.pem is important but I use

      root
        intermediate 1
          intermediate 2
            example.domain.com

-----BEGIN CERTIFICATE-----
  intermediate 2
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
  intermediate 1
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
  root
-----END CERTIFICATE-----



Using a SA server I also get an A-grade rating from ssllabs. I didn't change the ciphers for that. I can get A+ by disabling some old ciphers used by older OS.
Reply
#6
Oh interesting, maybe that is what I am doing wrong, I used SSLBuddy to generate the .pem file and I never seen anyway to use an intermediate cert there, how did you generate yours please?

David.


(11-24-2022, 09:08 AM)jeroen.rottink Wrote: Hi

Normally for Indy servers like SA, the root.pem file should contain all intermediate and root certificates to validate the certificate. 
Maybe your root.pem is not containing all those certificates to get a complete chain. That would explain the B-grade message.
Not sure if the order of the certificates in root.pem is important but I use

      root
        intermediate 1
          intermediate 2
            example.domain.com

-----BEGIN CERTIFICATE-----
  intermediate 2
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
  intermediate 1
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
  root
-----END CERTIFICATE-----



Using a SA server I also get an A-grade rating from ssllabs. I didn't change the ciphers for that. I can get A+ by disabling some old ciphers used by older OS.
Reply
#7
Not sure what format Sectigo delivers but you you can check using information on the internet.
Use a texteditor to examen the certificate file. Does it start with -----BEGIN CERTIFICATE----- Mine did. 

I had to rename my certificate to cert.pem and combined the root and intermediate certificates into the file root.pem. Just with a texteditor in the format I described in my previous post.
The root and intermediate certificates are sometimes packed into a zipfile called root.bundle or alike.

SSLbudy is a tool that I didnt use in a long time.
Reply
#8
(11-24-2022, 02:43 PM)jeroen.rottink Wrote: Not sure what format Sectigo delivers but you you can check using information on the internet.
Use a texteditor to examen the certificate file. Does it start with -----BEGIN CERTIFICATE----- Mine did. 

I had to rename my certificate to cert.pem and combined the root and intermediate certificates into the file root.pem. Just with a texteditor in the format I described in my previous post.
The root and intermediate certificates are sometimes packed into a zipfile called root.bundle or alike.

SSLbudy is a tool that I didnt use in a long time.

Oh that is interesting, might give it a try.  Currently SSLBuddy creates two files, .pem and .key, do I just need to edit the .pem file and key the .key file as it stands?
Reply
#9
In your opening post you are talking about Sectigo. Do you use SSLBuddy for creating a self signed certificate or convert the Sectigo certificate for use with SA?
I am a bit confused.
Reply
#10
(11-24-2022, 09:16 PM)jeroen.rottink Wrote: In your opening post you are talking about Sectigo. Do you use SSLBuddy for creating a self signed certificate or convert the Sectigo certificate for use with SA?
I am a bit confused.

I use SSLBudy to convert a Sectigo cert for installing into Intraweb.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)