Certificates are not trusted on Firefox: ¡send full chain! (on Caddy)
Intro
As a Caddy Server user, I faced a strange error today[1].
I'm on my way to change my browser (previously Chrome and Edge) to Firefox and when trying to access some of my sites (the ones not proxied by Cloudflare) the following error appeared on Firefox:
Well, not really strange once understood and solved, but you know ;) ↩︎
Problem
Of course, if not DNS, it's certificate chain trust ;(.
If tried to connect to the server/page/domain with the echo "" | openssl s_client -showcerts -servername *****.glez.cloud -connect *****..glez.cloud:443 command, I receive the following errors:
verify error:num=20:unable to get local issuer certificate [...]
verify error:num=21:unable to verify the first certificate [...]
Verification error: unable to verify the first certificate [...]
Secure Renegotiation IS NOT supported [...]
Verify return code: 21 (unable to verify the first certificate) [...]
Solution
Although I would be the only user facing this error, these kinds of things are the ones that have to be solved when encountered. If not, the debt could be worse next time.
So, to solve this problem, we have to identify it first: the server is not sending the full certificate chain, only the leaf certificate.
To make Caddy send the full certificate, the certificate file path on the tls directive of the CaddyFile has to point not to the leaf certificate, but to the fullchain file. In case you are using Let's Encrypt, the paths will be:
Change tls /etc/letsencrypt/live/*domain*/cert.pem to tls /etc/letsencrypt/live/*domain*/fullchain.pem
Any doubts?
Do not hesitate to contact me with any questions, suggestions, complaints or clarifications you may have, I'll be happy to talk to you!