Consider using SSL_CTX_use_certificate_chain_file in module-webif-lib.c

[delilah23]

Revision

11350

Issue Description

Oscam webif won't send out a complete cert chain to the browser when using SSL webif

When the issue occurs

It occours when a cert is used that needs to send out an intermediate cert to give the browser the possibility to check the complete cert chain.

How the issue is reproducable

use a typical intermediate signed cert, f.i. given out from Let's Encrypt.

I attached a (trivial) patch which would solve this issue. The given pem file is searched for a complete cert chain, which is sent out to the client then.

[xeonpj]

Hi friend, I try to apply the patch but it still does not work chain.pem from let's encrypt.

[delilah23]

@xeonpj You have to use fullchain.pem (including 2 certificates in one file) - chain.pem does only include the intermediate cert not the issued client cert itself.

[xeonpj]

patch aplicated to oscam r11390:

error of console, SSL not working:

1993090144:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: ANY PRIVATE KEY
1993090144:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:635:

rute: /etc/letsencrypt/live/URL_DNS/fullchain.pem

[delilah23]

Well, you have to

cat /etc/letsencrypt/live/<domainname>/privkey.pem > /etc/oscam/oscam.pem
cat /etc/letsencrypt/live/<domainname>/fullchain.pem >> /etc/oscam/oscam.pem

(depending on where your Oscam Config lives, /etc/oscam in my case)

This copies private key and cert chain to oscam.pem.

You have to repeat this, every time certbot regenerates the certificate with a new one.
For security reasons, oscam.pem should only be readable by oscam process.

In oscam.conf shoud be a

httpcert                      = /etc/oscam/oscam.pem

Oscam expects cert and private key in just one file.

[xeonpj]

work !!! Thank you!!!
the patch indicated above is not necessary.

just follow your steps and everything is right!

[felixka]

fixed -> r11570