This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1281901 - https using letsencrypt has B rating - chain incomplete
https using letsencrypt has B rating - chain incomplete
Product: OpenShift Online
Classification: Red Hat
Component: Containers (Show other bugs)
Unspecified Unspecified
unspecified Severity medium
: ---
: ---
Assigned To: Sally
DeShuai Ma
Depends On:
Blocks: 1310266
  Show dependency treegraph
Reported: 2015-11-13 13:16 EST by
Modified: 2017-05-31 14:22 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1310266 (view as bug list)
Last Closed: 2017-05-31 14:22:11 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description 2015-11-13 13:16:39 EST
Description of problem: 
I tried to add letsencrypt certificate to openshift. I uploaded cert.pem + chain.pem + priv.pem and I got https working, but with B rating and chain incomplete message. When I used only fullchain.pem + priv.pem https worked and I got A record - chain was complete. More info can be found here -

Version-Release number of selected component (if applicable): Openshift v2

How reproducible: 
Apply letsencrypt certificate to openshift v2 using cert.pem + chain.pem + priv.pem

Actual results: 
B rating and chain incomplete

Expected results:
A rating and chain complete

Additional info:
Comment 1 Miciah Dashiel Butler Masters 2015-12-01 11:54:13 EST
It is possible that the problem lies in the normalization of encoding, whitespace, etc. that the management console performs when one uploads certificates.  Do you see the same problem when you use the rhc command-line tool instead of the Web-based management console to upload the certificates?

Here is documentation on installing the rhc client tool:

Here is documentation on uploading certificates using rhc:

If you can answer the above question, that will help us narrow down whether the problem is in the management console, our httpd configuration, or possibly somewhere else.  Thanks!
Comment 2 2015-12-01 12:19:08 EST
I am missing chain parameter in rhc:

rhc alias update-cert <application_name> <domain_name> --certificate <cert_file> --private-key <key_file>
Comment 3 Sally 2016-01-05 11:48:33 EST
I believe one fix will solve this + 2 other current bzs:

Solution could be to remove the 'SSL Certificate Chain' field in the web console, and to document clearly that cert + chain should be concatenated manually (cert 1st, then chain) and uploaded in the 'SSL Certificate*' field as a 'fullchainfile.pem' OR user should upload the 'fullchain.pem' if SSL cert provider automatically concatenates the cert + chain (letsencrypt does).

This solution makes sense, especially since there is no 'SSL Certificate Chain' upload option in the rhc tool.  The rhc tool options should match the web console options, correct?
Comment 4 weiwei jiang 2016-01-31 22:07:01 EST
Checked with devenv_5760, and the Cert Chain Field has been removed.
And has prompted customers to upload a cert that put primary and intermediate certificates into a single file.
Comment 5 Eric Paris 2017-05-31 14:22:11 EDT
We apologize, however, we do not plan to address this report at this time. The majority of our active development is for the v3 version of OpenShift. If you would like for Red Hat to reconsider this decision, please reach out to your support representative. We are very sorry for any inconvenience this may cause.

Note You need to log in before you can comment on or make changes to this bug.