ECE 2.0.1 Unable to upload Letsencrypt TLS certificate

Alex_Piggott · November 29, 2018, 8:18pm

Despite its name, I'm not convinced fullchain.pem includes the CA cert, can you double check? If not, try converting/cating that in

Otherwise you should be able to use openssl to verify the combined PEM is valid (or if not, what's wrong with it), eg:

Let's assume the following values are set:

SRV_KEY=[path to server RSA key]
SRV_CERT=[path to server X509 cert]
INTER_CERT=[path to intermediate CA X509 cert]
CA_CERT=[path to CA X509 cert]
CHAIN=[path to certificate chain, eg cat $SRV_KEY $SRV_CERT $INTER_CERT $CA_CERT > $CHAIN ]

To verify the server key matches the cert (eg to avoid [Key Mismatch: public key in server certificate doesn't match public key part of PKCS1 RSA private key]), run:

openssl rsa -noout -modulus -in ${SRV_KEY} | openssl sha256
> (stdin)= 3da7dff874ae18e4529667339ada88e9ef17adb793cff6cf92f500e09af72879

openssl x509 -noout -modulus -in ${SRV_CERT} | openssl sha256
> (stdin)= 3da7dff874ae18e4529667339ada88e9ef17adb793cff6cf92f500e09af72879

And make sure the two outputs match (this will be a value other than 3da7dff... for your cert and key).

To check that the cert chain is valid, run:

openssl verify -CAfile ${CA_CERT} -untrusted ${INTER_CERT} ${CHAIN}

> ${CHAIN}: OK

To debug an invalid cert chain, grab the subject and issuer for each cert and make sure they match the next cert:
The issuer for the server cert (issuer=C = US, ST = California, O = Stu Test, CN = Stu Test Intermediate CA)...

openssl x509 -subject -issuer -noout -in ${SRV_CERT}

> subject=CN = *.stu.example.com
> issuer=C = US, ST = California, O = Stu Test, CN = Stu Test Intermediate CA

...should match the subject for the intermediate cert (subject=C = US, ST = California, O = Stu Test, CN = Stu Test Intermediate CA).

Next, the issuer (issuer=C = US, ST = California, O = Stu Test, CN = Stu Test CA) for the intermediate cert...

openssl x509 -subject -issuer -noout -in ${INTER_CERT}

> subject=C = US, ST = California, O = Stu Test, CN = Stu Test Intermediate CA
> issuer=C = US, ST = California, O = Stu Test, CN = Stu Test CA

...should match the subject for the CA cert.

openssl x509 -subject -issuer -noout -in ${CA_CERT}

> subject=C = US, ST = California, O = Stu Test, CN = Stu Test CA
> issuer=C = US, ST = California, O = Stu Test, CN = Stu Test CA

CA certs are self signed, so the subject is the issuer.

Topic		Replies	Views
ECE - Certificate chain was invalid Elastic Cloud Enterprise (ECE)	5	2313	February 17, 2020
Cloud UI / Proxy Certs Elastic Cloud Enterprise (ECE)	11	1325	July 3, 2020
ECE 2.2 Unable to upload self-signed certificates Elastic Cloud Enterprise (ECE)	4	746	July 25, 2019
Certificate added via GUI only distributed to 2 of 3 nodes Elastic Cloud Enterprise (ECE)	6	662	September 3, 2019
Fail for update certificate elastic cloud enterprise Elastic Cloud Enterprise (ECE)	2	1464	November 24, 2020

ECE 2.0.1 Unable to upload Letsencrypt TLS certificate

Related topics