CODEWITHSUNDEEP
sslnginxhttpswebserverlets-encrypt
CrAzYz_
CrAzYz_

Reputation: 48

SSL Chain Incomplete

After creating 7 SSL Certificates with Let's Encrypt, I have stumbled upon this error. I had setup all my configs correct and I scanned my whole site for SSL Vulnerabilities on [SSLLabs.com][1] and it told me that my server's certificate chain is incomplete.

The grading picture: My SSL Grading

The error: The error I got

I am running CentOS Linux release 7.2.1511 (Core) as a Reverse Proxy in NginX. And my configuration is:

# GhostAntiDDoS
server {
  listen  443 ssl;
  server_name  ghostantiddos.com *.ghostantiddos.com;
  ssl  on;
  ssl_certificate  /etc/letsencrypt/live/ghostantiddos.com/cert.pem;
  ssl_certificate_key  /etc/letsencrypt/live/ghostantiddos.com/privkey.pem;
  ssl_dhparam  /etc/ssl/certs/dhparam.pem;
  ssl_session_timeout  5m;
  ssl_prefer_server_ciphers  on;
  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers  'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
  add_header Strict-Transport-Security max-age=15768000;
  # Bulletin
  #limit_conn conn_limit_per_ip 10;
  #limit_req zone=req_limit_per_ip burst=5 nodelay;
  client_body_timeout 5s;
  client_header_timeout 5s;
  ....

The rest of the parts are hidden as they will expose my origin. If anyone could assist me in this, I'd be great!

Upvotes: 1

Views: 3205

Answers (1)

Tom
Tom

Reputation: 4846

Replace

certificate /etc/letsencrypt/live/ghostantiddos.com/cert.pem

by

certificate /etc/letsencrypt/live/ghostantiddos.com/fullchain.pem

then test again with https://ssllabs.com

Upvotes: 8

Related Questions