Apache's deprecated SSLCertificateChainFile directive (AH02559)

apache-2.2 ssl ssl-certificate apache-2.4

Recently I've upgraded Apache from 2.2 to 2.4 and I cannot figure out how to deprecate a SSLCertificateChainFile directive.

The error:

me@jessie:~$ sudo apache2ctl configtest 
AH02559: The SSLCertificateChainFile directive (/etc/apache2/sites-enabled/https.conf:103) is deprecated, SSLCertificateFile should be used instead
Syntax OK

My current settings:

SSLCertificateFile    /etc/apache2/cert/ssl.crt
SSLCertificateKeyFile /etc/apache2/cert/ssl.key
SSLCertificateChainFile /etc/apache2/cert/sub.class1.server.sha2.ca.pem
SSLCACertificateFile /etc/apache2/cert/ca.pem

The certificate is signed by StartCOM. Manual says, now the whole chain should be in one file, specified by the SSLCertificateFile directive, but I do not know what keys and in which order I should concatenate to this file.


Solution 1:

Given that you're using this in your apache config:

SSLCertificateFile    /etc/apache2/cert/ssl.crt
SSLCertificateKeyFile /etc/apache2/cert/ssl.key

The /etc/apache2/cert/ssl.crt file should contain

  1. certificate of e.g. yourdomain.com
  2. certificate of first intermediate CA, signed by root CA (e.g.StartCom Class 1 Primary Intermediate Server CA)
  3. certificate of second intermediate CA, signed by first intermediate CA (if there is a second intermediate CA in your certificate chain)

You need to put all intermediate CA's certificates in the crt file. Depending on the certificate chain of your certificate there will be varying number of CAs invovled.

You don't even need to add the root CA, as it has to be in the trust store of any clients, otherwise clients will get an error page, also, if you add it to your chain, it will just be additional overhead for establishing SSL connections, as it has to be transferred for every new SSL session. Actually most clients will also have intermediate CA certificates installed, but some might not, e.g. mobile phones don't have many intermediate CA certificates, so I would definitely add those.

The /etc/apache2/cert/ssl.key file will stay the same, which is, it will contain the key for the certificate of yourdomain.com

Solution 2:

Okay, finally figured it out lately and decided to post details in the answer form.

Now StartSSL places certificate in the zip-archive when you retrieve it and there is plenty of included archives there, one of particular interest is ApacheServer.zip, an Apache >2.4-compatible form. The files in Apache folder are:

1_root_bundle.crt
2_myhost.tld.crt

You have to brew SSLCertificateFile from both of these certificates, but in this order:

cat 2_myhost.tld.crt 1_root_bundle.crt > myhost.tld_combined.crt

So in the site conf it will be just:

    SSLCertificateFile    /etc/apache2/cert/myhost.tld_combined.crt
    SSLCertificateKeyFile /etc/apache2/cert/myhost.tld.key

And all will be good, even the Qualys SSL Test.

This works for StartCom StartSSL, as well as for WoSign certificates. Format is the same.

Related

Server 2012 Server Core powershell not installed
Apache heavy load VIRT vs RES memory
How to enable multiple virtual consoles on linux?
Apache in linux-vserver won't start, can't create socket
Slow network speeds - what should I check?
Disabling 206 partial content responses on nginx
Keep-alive options not working on Linux for an outgoing connection
How do I work out my certificate chain order manually?
nginx gzip_static: why are the non-compressed files required?
How to allow multiple people to change mtime -timestamp of a file through sftp?
Are there good reasons to partition disks on Windows?
What do you do to fix corrupted or blocked permissions on company file shares?