Posts: 17
Threads: 7
Joined: Mar 2020
Reputation:
0
Location: Scotland
I am in the process of updating an old IW app to IW15 and in doing so I have done an ssl labs check and I am getting a B rating, I was hoping for an A, however it is better than the 'F' I was getting before updating.
The reason for the B rating is due to "Certificate chain is incomplete" I am running in an SA server mode, anyone able to advise how to fix this and get an A rating? My cert is from Sectigo if that helps. Perhaps I have made a mistake with the certificate I have purchased?
Also while I am here, how do I prevent my app from being put in an iFrame?
Cheers for any help.
David.
Posts: 166
Threads: 17
Joined: Jun 2018
Reputation:
21
Location: US
>>With your Sectigo cert, did you have to install the
>>intermediate certificate into Windows?
I got that one backwards, I use letsencrypt for IW and Sectigo for codesigning. With SA it's all Indy and getting your PEM certs and root certs in order, it doesn't look at what's installed in Windows. With http.sys it reads the certs from windows. It took me about a half day to get http.sys running the first time and is quite simple after that. I still use SA for local debugging then http.sys for production. After going to http.sys the response times for me were 5X - 10X faster than SA, I was shocked at the increase. And http.sys supports multiple domains on a single cert.
For "Certificate Chain incomplete" try this with OpenSSL:
openssl pkcs12 -in example.pfx -out example.pem -nodes
Posts: 143
Threads: 28
Joined: May 2018
Reputation:
12
Location: Netherlands
Hi
Normally for Indy servers like SA, the root.pem file should contain all intermediate and root certificates to validate the certificate.
Maybe your root.pem is not containing all those certificates to get a complete chain. That would explain the B-grade message.
Not sure if the order of the certificates in root.pem is important but I use
root
intermediate 1
intermediate 2
example.domain.com
-----BEGIN CERTIFICATE-----
intermediate 2
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
intermediate 1
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
root
-----END CERTIFICATE-----
Using a SA server I also get an A-grade rating from ssllabs. I didn't change the ciphers for that. I can get A+ by disabling some old ciphers used by older OS.
Posts: 143
Threads: 28
Joined: May 2018
Reputation:
12
Location: Netherlands
Not sure what format Sectigo delivers but you you can check using information on the internet.
Use a texteditor to examen the certificate file. Does it start with -----BEGIN CERTIFICATE----- Mine did.
I had to rename my certificate to cert.pem and combined the root and intermediate certificates into the file root.pem. Just with a texteditor in the format I described in my previous post.
The root and intermediate certificates are sometimes packed into a zipfile called root.bundle or alike.
SSLbudy is a tool that I didnt use in a long time.
Posts: 143
Threads: 28
Joined: May 2018
Reputation:
12
Location: Netherlands
In your opening post you are talking about Sectigo. Do you use SSLBuddy for creating a self signed certificate or convert the Sectigo certificate for use with SA?
I am a bit confused.