Certificate chain issues - duplicate certificate in chain

There are a set of four certificate files located in /etc/certificates

*.key.pem is the servers private key

*.cert.pem is the servers SSL certificate

*.concat.pem is the servers SSL certificate and private key

*.chain.pem is the servers SSL certificate, any intermediate certificate(s) and the rootCA certificate

Therefore it seems your *.chain.pem is correct.

The *.cert.pem will not or should not contain your rootCA, it should only contain the servers own SSL cert.

The rootCA is popping back in to the *.concat.pem file because Apple are helpfully automatically fixing the damage you did. 😉

Where are you seeing this error? It definitely needs its own SSL cert in the chain file. The chain file is supposed to contain the entire 'chain' of certs from root to server inclusive.

All the OS X servers I have setup have had the servers own SSL cert in chain and had no problems. For example visiting a website on such a server does not generate an error and Safari shows it is happy with the certs provided by the server for those websites.

Ok I looked at the last article and see what he says and how this matches your experience. I can certainly understand what he is saying and agree with much of it in that yes it would seem overkill on Apple's part. However as he, you, and me have all found this is the way Apple does it, it also does not seem to cause anything to fail even if it is unnecessary overkill.

I would say rather than trying to fix something Apple will currently unfix immediately, and something that does not seem to out and out break anything that your best bet is to leave it be and rather report it as an issue to Apple. There are two ways you can report it to Apple. If you have a bug-reporting account either via a Developer account or a beta-testing account that would be the best option, if not then there is the public feedback page here http://www.apple.com/feedback/server.html

Believe me compared to some Apple issues this is small beer. As an example at one time Server.app would actually sometimes completely fail to create on of those four .pem files and this left it completely broken, there are also plenty of other known issues Apple have yet to fix particularly with regards to network home directories. Apple are still also behind the curve with regards to things like TLS1.2 for SSL.

Hello,

The files in /etc/certificates are not the primary representation of your certificates - they exist here to make them available to open source Server components that do not interact with the keychain. The primary representation of certs and keys is inside the keychain, which is where they land after you import them using Server.

Assuming you still have the original cert files provided by Comodo, try deleting the problem cert using Server, then fix the file(s) by removing the redundant root cert, then import the fixed files into Server.

Hope this helps,

-dre

Hi,

same issue here.

Refer post on Dec 17, 2015 2:58 PM by Twistan

Issue persisting after upgrade von Server 5.0.15 / 10.10.5 to 10.11.2

If anybody knows where the keychain source files reside that Server obviously uses to rebuild the /etc/certificates directory please let us know.

Even better, if someone had found a fix meanwhile.

Regards,

Twistan

+1

This issue is crazy. Have been using digicert certificates for years and always need to update /etc/apache2/sites/0000_any443 etc with the path to the ChainFile manually added into /etc/certificates.

Now I can't find out in which file to modify above mentioned path. I presume this is Apple making Server.app more independent of OS version. But it is really annoying that they move things without commenting in the old location where the new location is.