I have a website that's using a Let's Encrypt SSL wildcard certificate which is working great. I now want to take this certificate and install it in another server I'm using.
My other server is running Tomcat on AWS. I've extracted the Base-64 encoded cert, private key and intermediate cert from the first server and installed them here. SSL is working but I have a small problem. If I test my site with some of the SSL testing webapps they say that "You have an invalid or missing intermediate (bundle) certificate.".
I'm not sure how to diagnose or correct the problem, although I've tried many things. I have a VirtualHost where I properly configured SSLCertificateFile and SSLCertificateKeyFile. I tried creating a SSLCertificateChainFile but that failed to even start my server because this directive is obsolete. Then I tried to concatenate the intermediate cert into my server cert (I've done this with and without the root cert). SSL will work here, but I still get the missing intermediate file problem. Looking at the error log I see nothing.
Any ideas on how to diagnose and fix this problem? I know that configuring this should be straight forward, but I can't get it to completely work.
Additional Info:
The output of running openssl looks like this:
[ec2-user@ip-172-31-9-168 ~]$ openssl s_client -connect localhost:443 -showcerts CONNECTED(00000003) depth=0 CN = *.routercheck.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = *.routercheck.com verify error:num=27:certificate not trusted verify return:1 depth=0 CN = *.routercheck.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=*.routercheck.com i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 -----BEGIN CERTIFICATE----- MIIGHTCCBQWgAwIBAgISA9b5buv7A7jbvwsOA18kT5qXMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA0MTYxOTE3NDJaFw0x ODA3MTUxOTE3NDJaMBwxGjAYBgNVBAMMESoucm91dGVyY2hlY2suY29tMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu4P+E9y7yU8yOFduoQBCKe7ZnWLN ISzB/0jmreFu/Y1ZhzCrs+ZOGw9P/jq+He71Bzea+wRkwbwDpQs0emEXhK5f4nLm msQ8yxB7Z3Rh+T/BJmzTgnuD2UUqBozSpue+hJcwAfBqNTo3vpyMhyIUbbAjIHtv 7jxMuXDx3eCrZVL6dD3qRUXRwAtT1Bz/ue07F4XoBagbLWAiWIiGPPdzbH/21qEf b7TsZEedbLSexldZtH4SWv3aPa02XXnzEvKsALIBDOB+aG3Z93LnWKSdnxxqUGpl +cgCUbQ8H25+uGUK7KQ2TS7OhDJRXRiHfeRbfGjPhJsVZ7DXLuvaYLCg6QIDAQAB o4IDKTCCAyUwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSBjUKUkJFTPg1HQs4lpZTD KDik9DAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcB AQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlw dC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlw dC5vcmcvMC0GA1UdEQQmMCSCESoucm91dGVyY2hlY2suY29tgg9yb3V0ZXJjaGVj ay5jb20wgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHW MCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYB BQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1 cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdp dGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNl bmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1 ANt0r+7LKeyx/so+cW0s5bmquzb3hHGDx12dTze2H79kAAABYtAbJMAAAAQDAEYw RAIgBWvnf3mcCyNfcIHWNN3n5haNLpttZ5+HMpwBhvjGzj0CIGUfB/b1eE+2kNSY 2yc8iOaeje/HNYuDcgCCHP+YBwAkAHYAKTxRllTIOWW6qlD8WAfUt2+/WHopctyk wwz05UVH9HgAAAFi0Bsk4AAABAMARzBFAiBLKmEApnrAjDyLR0tnwN4lNo0VObns 8x7a7JdnyQq3XgIhAJ3/QLr+swiqa001j6CsVguTDdDgwTY3KabBwRf9w+DXMA0G CSqGSIb3DQEBCwUAA4IBAQBTLIU1rVhw+r+irfr+Cq20Nbar+OOAaMiEb/0oUBCm znnBxbntuJ/h3nJbeoW5VrLcX1xGW50jox09/t/VKhXKwJ1zhtJtdkFcImiAQsDK j/ioT5YLzxf6VVo6AG8at9ADXBdI1WfeRjrC1xA+2KmmQDTUhhPjfn6oHzDjsgPZ 20AGlXpiabQWUxibjGYHNUazs4BgPfWwHCxPPqGo2afwPX2gs54UaiJShGG6VeL6 qnpxgRjzfho8gdLazLpckPoPKoTuiUR03nJvXV1oDaMmShN+IeRxky/KqTNeKOPc MRJIKbDsau7CxCRnWjn/XJWwZSDQHhkQJ3hGLtQKjswL -----END CERTIFICATE----- --- Server certificate subject=/CN=*.routercheck.com issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 - My cert file has my server cert AND the Let's Encrypt intermediate cert in the file. My server cert is first followed by the intermediate.
I do not include the root cert because all of the documentation I found said this is unnecessary. I did try to include it, but it didn't help.
openssl s_client -connect FQDN:PORT -showcerts?