Apache serves with new and old SSL Root certificate

Milan

6/21/23, 1:10 PM

I am hosting a website at https://www.tabletop.cloud

A while back I switched from the DST Root CA X3 root certificate to the ISRG Root X1 certificate. When I access my website in every browser the SSL certificate seems to be working as normal (see below images 1 & 2)

However, I have an iPad that is refusing to use the new certificate and for some reason is receiving a recently signed version of the DST Root CA X3 certificate. (See below image 3, screenshot taken with TLS inspector app)

I've checked if the iPad accepts other websites with the ISRG Root X1 certificate, and it does so without issue.

I've also tried deleting the certificates and letting acme.sh generate new ones from scratch. (However I did not delete the configuration files in /root/.acme.sh/tabletop.cloud because I was unsure if I could do so safely)

I am really confused because I did not think that it was possible to supply different SSL certs based on platform/browser(?).

I am using:

Apache 2.4.41
acme.sh for lets encrypt certificate requests

0 + 0

ssl-certificate

apache-2.4

lets-encrypt

Bob

6/21/23, 1:44 PM

At first glance I see that you server only sends the signed server certificate and not the intermediate / chain certificate(s). That might be the reason stuff breaks. Consider using the `fullchain` version in stead of only the certificate in your Apache SSL config

Milan

6/21/23, 3:07 PM

Interesting, I noticed this on the SSL Labs test. I'll try that out thanks!

Milan

6/21/23, 3:34 PM

@Bob You're a hero this fixed the issue! If you add it as an answer I will accept it when I can!

Score:1

Server

Bob

6/22/23, 8:03 AM

Thank you for including your actual domain name. At first glance I see that you server only sends the signed server certificate and not the intermediate / chain certificate(s). That might be the reason stuff breaks.

Consider using the "fullchain" certificate bundle in your SSLcerificateFile instead of only the server certificate in your Apache SSL config, or alternatively add a SSLCertificateChainFile directive with the CA certificates that issued / signed your server certificate.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Apache serves with new and old SSL Root certificate

TH: Apache ให้บริการด้วยใบรับรอง SSL Root ทั้งเก่าและใหม่

RO: Apache servește cu certificat SSL Root nou și vechi

RU: Apache работает с новым и старым корневым сертификатом SSL

VI: Apache phục vụ với chứng chỉ SSL Root mới và cũ

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.