Certbot creates cert.pem without intermediate certificate

My domain is:

I ran this:
I use certbot to renew certificate for mail server. I installed certbot, and for a first sight the renewing of certificate works, but not all applications accepts certificate after renewal and show old certificate (e.g. Mozilla Thunderbird, Apple Mail). If we try to check certificate with SSL Server Test (Powered by Qualys SSL Labs), it will say OK.

It produced this output:

The problem is that cerbot includes in file cert.pem only first intermediate certificate, but not second. in file (in fullchain there are a chain of 3 certificates). So I have to manually add second certificate in file cert.pem to make things work.

Could you please answer, how to automatically include 2 certificates in cert.pem with cerbot? Thank you!

My web server is (include version):

The operating system my web server runs on is (include version): SMP Debian 4.19.146-1 (2020-09-17) x86_64

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.6.0

cert.pem is just leaf certificate, fullchain.pem is what you are looking for


Indeed I have to manually copy the second intermediate certificate from fullchain to cert.pem. Without it Thunderbird will not work.

chain.pem = just intermediates
cert.pem = leaf certifiate
fullchain.pem = leaf+intermediates

you just handcrafted fullchain.pem by hand :stuck_out_tongue:


Yes, there are 3 files you've mentioned. To make things work:

  • Fullcain contains 3 certificates,
  • chain.pem should contain 2st and 3rd certificates from fullchain,
  • cert.pem should contain 1st and 2nd certificates from fullchain

But if cert.pem on server contains only one certificate, it will not work for e-mail clients.

What should I do to make it automatic during renewal process?

if you want to use short chain ask it by

--preferred-chain "ISRG Root X1"

option, it will remove isrg x1 signed-by dst x3 from the chain and fullchain file


No. Cert.pem always contains one certificate. Fullchain contains N certificates, and Chain contains N-1.

N can vary according to what @orangepizza said.

Fullchain is literally cat chain.pem cert.pem



Why Thunderbird and Apple Mail won't accept this? Thunderbird shows expired previous certificate.

Because they need the rest of the chain, to link your certificate to a trust anchor.

At the very least you need to send your leaf certificate and the first intermediate (which is chain.pem if you use --preferred-chain as above)

If you don't use --preferred-chain you will get the current default chain.pem, which includes two intermediates, which is fine too.

But either case you have to send either cert and chain or just fullchain.

What is the server software you're trying to configure?


Edit: Turns out it's a bundled solution that does have postfix in it, but manually changing just the postfix conf may damage things, this post of mine may be disregarded?

If it's postfix: it requires having a privkey and a chain in a single file, I'm having this bit in my deploy hook to get such a file:

cd "$RENEWED_LINEAGE" || exit 1
cat privkey.pem fullchain.pem >fullbundle.pem

I use iRedMail (on nginx, postfix, dovecot etc)


  • RHEL/CentOS:
mv /etc/pki/tls/certs/iRedMail.crt{,.bak}       # Backup. Rename iRedMail.crt to iRedMail.crt.bak
mv /etc/pki/tls/private/iRedMail.key{,.bak}     # Backup. Rename iRedMail.key to iRedMail.key.bak
cp fullchain.pem /etc/pki/tls/certs/iRedMail.crt
cp privkey.pem /etc/pki/tls/private/iRedMail.key
  • Debian/Ubuntu, FreeBSD and OpenBSD:
mv /etc/ssl/certs/iRedMail.crt{,.bak}       # Backup. Rename iRedMail.crt to iRedMail.crt.bak
mv /etc/ssl/private/iRedMail.key{,.bak}     # Backup. Rename iRedMail.key to iRedMail.key.bak
cp fullchain.pem /etc/ssl/certs/iRedMail.crt
cp privkey.pem /etc/ssl/private/iRedMail.key

No, it doesn't


The preferred solution for Postfix is having both private key and full chain in one file, only because then one can update the file atomically, avoiding having processes during the time that a certificate is being renewed which load one key but a different certificate. But you can configure postfix with them in different files just fine.


Well, maybe so. But the docs sugest

With Postfix ≥ 3.4 the preferred way to configure server keys and certificates is via the "smtpd_tls_chain_files" parameter.

Edit: @petercooperjr beat me by a few seconds :stuck_out_tongue_winking_eye:


Ok. What a mess. Somebody should probably open an issue with the generator.


but he's using a bundle for smtp/imap and (possibly webmail) editing postfix setting directly would be like edition apache config in a cpanel server: while it can it won't go well


Thank you! Unfortunately some guys use Apple Mail with similar problem

About Use a bought SSL certificate.
I believe "cp fullchain.pem /etc/ssl/certs/iRedMail.crt
cp privkey.pem /etc/ssl/private/iRedMail.key" are not used.
files in /etc/ssl/private/*** are used:

1 Like

I am not sure I like what I read here, but I suppose it works



I'm not sure what I'm failing to do in this doc Request a free cert from Let's Encrypt
because all works except what I mentioned.