Cloning bug to enterprise for doc texts. These 3 bugs were fixed by this change: https://bugzilla.redhat.com/show_bug.cgi?id=1268317 https://bugzilla.redhat.com/show_bug.cgi?id=1281901 https://bugzilla.redhat.com/show_bug.cgi?id=1269637 +++ This bug was initially created as a clone of Bug #1281901 +++ Description of problem: I tried to add letsencrypt certificate to openshift. I uploaded cert.pem + chain.pem + priv.pem and I got https working, but with B rating and chain incomplete message. When I used only fullchain.pem + priv.pem https worked and I got A record - chain was complete. More info can be found here - https://community.letsencrypt.org/t/this-servers-certificate-chain-is-incomplete-grade-capped-to-b-openshift/3665 Version-Release number of selected component (if applicable): Openshift v2 How reproducible: Apply letsencrypt certificate to openshift v2 using cert.pem + chain.pem + priv.pem Actual results: B rating and chain incomplete Expected results: A rating and chain complete Additional info: --- Additional comment from Miciah Dashiel Butler Masters on 2015-12-01 11:54:13 EST --- It is possible that the problem lies in the normalization of encoding, whitespace, etc. that the management console performs when one uploads certificates. Do you see the same problem when you use the rhc command-line tool instead of the Web-based management console to upload the certificates? Here is documentation on installing the rhc client tool: https://developers.openshift.com/en/managing-client-tools.html Here is documentation on uploading certificates using rhc: https://developers.openshift.com/en/managing-domains-ssl.html#_command_line_rhc If you can answer the above question, that will help us narrow down whether the problem is in the management console, our httpd configuration, or possibly somewhere else. Thanks! --- Additional comment from lucas0033 on 2015-12-01 12:19:08 EST --- Hi, I am missing chain parameter in rhc: rhc alias update-cert <application_name> <domain_name> --certificate <cert_file> --private-key <key_file> --- Additional comment from Sally on 2016-01-05 11:48:33 EST --- I believe one fix will solve this + 2 other current bzs: https://bugzilla.redhat.com/show_bug.cgi?id=1269637 https://bugzilla.redhat.com/show_bug.cgi?id=1268317 Solution could be to remove the 'SSL Certificate Chain' field in the web console, and to document clearly that cert + chain should be concatenated manually (cert 1st, then chain) and uploaded in the 'SSL Certificate*' field as a 'fullchainfile.pem' OR user should upload the 'fullchain.pem' if SSL cert provider automatically concatenates the cert + chain (letsencrypt does). This solution makes sense, especially since there is no 'SSL Certificate Chain' upload option in the rhc tool. The rhc tool options should match the web console options, correct? --- Additional comment from weiwei jiang on 2016-01-31 22:07:01 EST --- Checked with devenv_5760, and the Cert Chain Field has been removed. And has prompted customers to upload a cert that put primary and intermediate certificates into a single file.
Checked with puddle http://etherpad.corp.redhat.com/puddle-2-2-2016-02-19, and the Certificate Chain Field has been removed. Also prompt user to upload a cert to concatenate primary and intermediate certs into a single file.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-0489.html