How to force Apache 2.2 to send the full certificate chain?

You are on the right track.

SSLCertificateFile server.crt      >> Your public certificate
SSLCertificateKeyFile server.key   >> Your private key
SSLCertificateChainFile chain.crt  >> List of intermediate certificates;
                                 in your case, only one - GoDaddy intermediate CA

Check your server configuration with a tool like SSL Labs to determine if you are sending the correct intermediate certificate.


In case anyone has similar issues in the future:

In my case where one server didn't send a configured intermediate certificate (but other servers did) - it appeared to be an issue with line endings in the certificate file. Apparently Apache releases prior to 2019 can be rather picky - accepting only certificates with lines ending with new line (NL, char 10, Unix line endings), and silently ignoring certificate with lines ending with carriage return, new line (CR+NL, chars 13 and 10, Windows line endings), or carriage return only (CR, char 13, Mac OS <10).

My intermediate cert had the CR line endings (very odd in this day and age) - converting it to NL endings using a text editor fixed it up, and Apache now sends the intermediate certificate correctly.


You can also use the SSLCACertificatePath directive and put the original .crt files into the directory specified. However, you also have to create hash symlinks to them. This is done with the c_rehash tool, which is part of openssl. For example,

sudo c_rehash /etc/apache2/ssl/certs

However, note that there are two hash algorithms in use. The new one was introduced with openssl 1.0 and it's necessary to re-run c_rehash after upgrading openssl to 1.0 or later. This will create both old-style and new-style symlinks.

If you don't do this, openssl (and therefore apache) won't be able to find the intermediate certificates and so they won't be sent to the client. I spent a frustrating few hours debugging SSL errors after upgrading an Ubuntu server from Lucid to Precise, which had included an upgrade of openssl from 0.9.8 to 1.0.1. I searched but couldn't find any clues on the web about what was going wrong, so had to figure it out myself.

For the record, we weren't getting errors in the browser because it has a bigger set of roots and one of our intermediate certificates must have been in that set. The problem only showed up when using openssl-based command-line programs such as wget, curl and openssl s_client.