Opened 6 years ago
Closed 3 years ago
#4573 closed defect (fixed)
Consider using SSL_CTX_use_certificate_chain_file in module-webif-lib.c
|Reported by:||delilah23||Owned by:||WIDI RISTIANTO|
Oscam webif won't send out a complete cert chain to the browser when using SSL webif
When the issue occurs
It occours when a cert is used that needs to send out an intermediate cert to give the browser the possibility to check the complete cert chain.
How the issue is reproducable
use a typical intermediate signed cert, f.i. given out from Let's Encrypt.
I attached a (trivial) patch which would solve this issue. The given pem file is searched for a complete cert chain, which is sent out to the client then.
Change History (8)
by , 6 years ago
comment:1 by , 6 years ago
|Status:||new → assigned|
comment:2 by , 6 years ago
comment:3 by , 6 years ago
@xeonpj You have to use fullchain.pem (including 2 certificates in one file) - chain.pem does only include the intermediate cert not the issued client cert itself.
comment:4 by , 6 years ago
patch aplicated to oscam r11390:
error of console, SSL not working:
1993090144:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: ANY PRIVATE KEY
1993090144:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:635:
comment:5 by , 5 years ago
Well, you have to
cat /etc/letsencrypt/live/<domainname>/privkey.pem > /etc/oscam/oscam.pem cat /etc/letsencrypt/live/<domainname>/fullchain.pem >> /etc/oscam/oscam.pem
(depending on where your Oscam Config lives, /etc/oscam in my case)
This copies private key and cert chain to oscam.pem.
You have to repeat this, every time certbot regenerates the certificate with a new one.
For security reasons, oscam.pem should only be readable by oscam process.
In oscam.conf shoud be a
httpcert = /etc/oscam/oscam.pem
Oscam expects cert and private key in just one file.
comment:6 by , 5 years ago
work !!! Thank you!!!
the patch indicated above is not necessary.
just follow your steps and everything is right!
comment:7 by , 3 years ago
|Status:||assigned → closed|
fixed -> r11570
Hi friend, I try to apply the patch but it still does not work chain.pem from let's encrypt.