caps all our vhost certificates to grade to B: This server's certificate chain is incomplete. Grade capped to B.
We have run each vhost’s certbot command individually: certbot --authenticator webroot --installer apache --webroot-path /srv/www/htdocs/<vhost> -d <vhost_domain> -d www.<vhost_domain>
We have examined /etc/apache2/vhosts.d/ip-based_vhosts-le-ssl.conf
Each vhost is properly configured with /etc/certbot/live/<vhost_domain/**fullchain.pem** as the certificate
and /etc/certbot/live/<vhost_domain/key.pem as the key.
So how can a chain be anymore complete than fullchain.pem?
This is the current chain send by your webserver for privustech.com:
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 1 DV Server CA
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
Obviously, it’s not correct. I’m guessing somewhere in your configuration files there’s some sort of reference to this StartCom certificate. Perhaps a forgotten SSLCertificateChainFile which should have been deleted outside the virtualhosts sections?
By the way, the SSL Server test also mentioned this extra certificate
With OpenSSL: openssl s_client -connect privustech.com:443 -servername privustech.com
To be fair, Qualys actually doesn’t show the actual “chain” served by the server. It only shows the rebuild chain (if possible) and any “extra” certificate.
certbot should never delete any configuration file. It only searches for <VirtualHost> sections and copy such sections to a separate file with the filename applied from the filename from the source configuration file appended with -le-ssl.conf. It shouldn’t even modify the original source configuration file on which the <VirtualHost> section was based on.