SSL management is always a pain. We should check SSL certificates periodically or implement a solution that carries all management tasks for us (let’s encrypt and cert-manager, for instance). And if there is an issue with a certificate, it’s a always a subject of downtime, so we have to find a solution as quickly as possible. Furthermore, all websites should meet requirements to complete tests and get a “green” mark from mozilla observatory or ssl shopper checker, for example. In this post, we’ll discuss possible issues you may face during the ssl check: “incorrect certificate chain” or “incorrect order. contains anchor”
Please note that my setup includes azure application gateway and azure kubernetes service. The following steps are general, however, may require using different certificate formats or signature algorithms. Check your environment’s requirements beforehand.
- In my case, it was a wrong intermediate certificate provided by GoDaddy. So, I went to the godaddy site, clicked on certificate and copied intermediate certificate to cer file intermediate.cer
- Make sure you have openssl on your computer and create a new pfx that contains a certificate, private key and intermediate certificate:
openssl pkcs12 -export -out appgw-cert.pfx -inkey .\pk.key -in .\ssl.crt -certfile .\intermediate.cer
- If you have an old pfx with a valid certificate and key, do these commands:
openssl pkcs12 -in old.pfx -nocerts -nodes -out pk.key
openssl pkcs12 -in old.pfx -clcerts -nokeys -out cert.crt
openssl pkcs12 -export -out new.pfx -inkey .\pk.key -in .\cert.crt -certfile .\intermediate.cer
- Type password for the pfx, and then update azure application gateway if needed:
$appGW = Get-AzApplicationGateway -Name "ApplicationGatewayName"–
$password = ConvertTo-SecureString $passwordPlainString -AsPlainText -Force
$cert = Set-AzApplicationGatewaySslCertificate -ApplicationGateway $AppGW -Name "CertName" -CertificateFile "D:\certname.pfx" -Password $password
- Also, export pfx certificate to your personal certificate store and make sure that the correct chain is used or use ssllabs.com for already updated certificate.
- ..and finally my certificate is “green”