Red Hat Bugzilla – Bug 1281901
https using letsencrypt has B rating - chain incomplete
Last modified: 2017-05-31 14:22:11 EDT
Description of problem:
I tried to add letsencrypt certificate to openshift. I uploaded cert.pem + chain.pem + priv.pem and I got https working, but with B rating and chain incomplete message. When I used only fullchain.pem + priv.pem https worked and I got A record - chain was complete. More info can be found here - https://community.letsencrypt.org/t/this-servers-certificate-chain-is-incomplete-grade-capped-to-b-openshift/3665
Version-Release number of selected component (if applicable): Openshift v2
Apply letsencrypt certificate to openshift v2 using cert.pem + chain.pem + priv.pem
B rating and chain incomplete
A rating and chain complete
It is possible that the problem lies in the normalization of encoding, whitespace, etc. that the management console performs when one uploads certificates. Do you see the same problem when you use the rhc command-line tool instead of the Web-based management console to upload the certificates?
Here is documentation on installing the rhc client tool: https://developers.openshift.com/en/managing-client-tools.html
Here is documentation on uploading certificates using rhc: https://developers.openshift.com/en/managing-domains-ssl.html#_command_line_rhc
If you can answer the above question, that will help us narrow down whether the problem is in the management console, our httpd configuration, or possibly somewhere else. Thanks!
I am missing chain parameter in rhc:
rhc alias update-cert <application_name> <domain_name> --certificate <cert_file> --private-key <key_file>
I believe one fix will solve this + 2 other current bzs:
Solution could be to remove the 'SSL Certificate Chain' field in the web console, and to document clearly that cert + chain should be concatenated manually (cert 1st, then chain) and uploaded in the 'SSL Certificate*' field as a 'fullchainfile.pem' OR user should upload the 'fullchain.pem' if SSL cert provider automatically concatenates the cert + chain (letsencrypt does).
This solution makes sense, especially since there is no 'SSL Certificate Chain' upload option in the rhc tool. The rhc tool options should match the web console options, correct?
Checked with devenv_5760, and the Cert Chain Field has been removed.
And has prompted customers to upload a cert that put primary and intermediate certificates into a single file.
We apologize, however, we do not plan to address this report at this time. The majority of our active development is for the v3 version of OpenShift. If you would like for Red Hat to reconsider this decision, please reach out to your support representative. We are very sorry for any inconvenience this may cause.