Certificate Chain Broken

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: Keesings.com

I ran this command: SSL Server Test: www.keesings.com (Powered by Qualys SSL Labs)

It produced this output: See result

My web server is (include version): EC2

The operating system my web server runs on is (include version): Ubuntu14.04

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2

Welcome to the Let's Encrypt Community! :slightly_smiling_face:

Your server is only serving your leaf certificate. It should also be serving the E7 intermediate certificate.

2 Likes
3

Usually this means you should be using the fullchain.pem file instead of just the cert.pem file.

3 Likes
4

Yes, usually so :slight_smile:

But, their Apache is version 2.4.7 which requires this format:

SSLCertificateFile    /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

@jhixon This example is using directory and files names of an ACME Client named Certbot. What ACME Client did you use to get your cert? And, what command did you run to get the cert? Some ACME Clients automatically configure Apache but perhaps they did not use the correct format for your extremely old version.

Note that the above 3 lines were needed in your version but starting with 2.4.8 (which came out in 2014!) you use:

SSLCertificateFile    /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

You should also be looking to upgrade your Ubuntu and Apache. Ubuntu 14 reached end of service in 2019 and even with ESM that expired in 2024.

4 Likes
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.