

SSL certificate chain resolver - zakjan
https://github.com/zakjan/cert-chain-resolver

======
laurencei
Useful script.

A related post worth reading is "Getting an A+ on Qualy's SSL Labs Tester" \-
[https://sethvargo.com/getting-an-a-plus-on-qualys-ssl-
labs-t...](https://sethvargo.com/getting-an-a-plus-on-qualys-ssl-labs-tester/)

Previous HN discussion:
[https://news.ycombinator.com/item?id=8749931](https://news.ycombinator.com/item?id=8749931)

~~~
nadams
That is what I suspected - in order to get an "A+" you have to recompile the
web server (the article is for nginx but the same idea applies to Apache). I'm
not saying this is a difficult process - but not something I want to do on a
production system.

While, distro maintainers usually do a great job of maintaining software - I
think it does highlight a certain need for another way to easily install
bleeding edge without adding a whole other repo (which could contain/override
versions of other software you may not want). You can always rpm/dpkg an
individual package - but now your version will never been updated by the
package manager, well by yum update/apt-get upgrade anyways (or even worse
overwritten).

~~~
iancarroll
No. If you force HSTS it raises an A to an A+, which requires no recompiling.

Do PPAs not fit your use case?

~~~
nadams
Upon further research it looks like recompiling may no longer be needed. I
remember awhile back some feature in a newer version of Apache - however I may
be confusing that with my Ubuntu 10.04 (most of my other systems run Debian
Wheezy).

In any case - PPAs are a patch for the problem not a solution (and specific to
Ubuntu). PPAs require third-party support and if a security issue is found and
he (or they) are on vacation - your custom version of Apache is vulnerable.
It's not a big issue for something like Wine, but I would just have a warm
fuzzy feeling if the security team behind the distro supported it.

I'm even guilty of using random debs however I always check for red flags and
go with my gut feeling. I have worked with a group of Linux people who refused
to install packages I wanted from the Red-Hat community repos onto the servers
(though they would freely install packages _they_ wanted...)

------
peterwaller
I've lost count of how many times I had to try reordering the certificates I
fed to Amazon's load balancer. You get back very cryptic error messages. Which
is annoying since it could almost certainly work out the order for you...

This script looks very useful, thanks :)

~~~
zakjan
Happy to help. Can you check if it works for you? Thanks :)

------
est
SSL is hard not only because the pricing barrier, but also setup hassle like
these. Thanks OP!

~~~
Tortoise
These people will sell you a cert for US$5 per year:

[https://cheapsslsecurity.com/comodo/positivessl.html](https://cheapsslsecurity.com/comodo/positivessl.html)

If that's a barrier, I don't know what to say. Registering the domain name
probably costs twice that.

~~~
est
Well, guess what, not everyone has credit card, payment methods are not
available in every country.

------
jpetersonmn
I just went through this issue with my first site I've used ssl on. I thought
everything was all good until I visited the site on my phone and got cert
errors. Took me all night to figure out how to get them in the correct order,
etc... Thanks for sharing this.

------
praseodym
One thing to note is that the Qualys SSL Labs test will complain if your
server sends the (self-signed) root CA certificate, which will already be in
the end-user's trust store. This uses unnecessary bandwidth for every TLS
negotiation.

In many cases, the CA (or company you got your certificate from) will include
this root cert in the chain. With most web servers it is perfectly fine to
simply remove it, but I have seen applications where you cannot (VMware, which
wants a complete chain ending with a self-signed cert) and where you'll have
to ignore the SSL Labs warning.

~~~
zakjan
Yes, you are right, a root cert shouldn't be sent by server. My script doesn't
append it to output, because (I hope) no intermediate certificate has AIA
extension pointing to the root cert. If you find a counterexample, please file
an issue, I will add a check.

------
cfcf
thank you very much for this! Added a pull request to fix some issues with
relative paths :)

~~~
zakjan
Thanks for your contribution!

