Apache SSLCertificateChainFile SSLCACertificateFile question

Hello -

In my httpd.conf, i have the following:

SSLCertificateFile     /etc/letsencrypt/live/www.MYDOMAIN.com/cert.pem
SSLCertificateKeyFile    /etc/letsencrypt/live/www.MYDOMAIN.com/privkey.pem
SSLCertificateChainFile     /etc/letsencrypt/live/www.MYDOMAIN.com/chain.pem
SSLCACertificateFile   /etc/letsencrypt/live/www.MYDOMAIN.com/chain.pem

and in my /etc/letsencrypt/live/MYDOMAIN.com/ directory i see:


It would seem like either SSLCertificateChainFile or SSLCACertificateFile should be pointing to the fullchain.pem however both are pointing to chain.pem

this is probably a dumb question, but which one should point to fullchain.pem?

1 Like

Please read the documentation about SSLCACertificateFile: it's used for client authentication, probably not something you actually want to do, right?

Depending on your Apache version, you may or may not need to set this directive. Again, please read the documentation.

This also depends on your Apache version. If you require to use chain.pem with the SSLCertificateChainFile directive, you won't need fullchain.pem. However, if you don't need to use chain.pem, you can use fullchain.pem without using cert.pem or chain.pem.

Also, please read the certbot documentation about what the files in /live/ actually are. For example, your statement you'd need to use fullchain.pem in SSLCertificateChainFile is not logical, if you know what the contents of fullchain.pem actually were.


If you are using:
Server version: Apache/2.4.37 (centos)
[or newer]
Then you don't need to use both of these:

SSLCertificateFile /etc/letsencrypt/live/www.MYDOMAIN.com/fullchain.pem


rg305 - so would it be this one?:

SSLCertificateFile /etc/letsencrypt/live/www.MYDOMAIN.com/fullchain.pem

# httpd -v
Server version: Apache/2.4.37 (centos)
Server built: Nov 4 2020 03:20:37


### SSLCertificateChainFile is deprecated

SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.

i apologize for asking questions that are well documented. it appears my httpd.conf file has some obsolete lines.


I think this option has an unfortunate name, since of course the chain file is also a kind of "CA certificate file" (just not a "CA certificate file" that is used for client authentication, but client authentication isn't mentioned anywhere in the option name!).

Of course, I created the unfortunate option name --renew-by-default in Certbot, which has also caused lots of confusion for users and later got renamed to the more descriptive --force-renewal, so I can certainly sympathize with programmers not managing to convey the connotations they intended with their software option names. :crying_cat_face:


You mean that format didn't convert my hard drive into an 8-track?



hey WATCH IT - i still have one of those.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.