Certificate chain incomplete

coxmichael · February 20, 2019, 9:22am

Hi there,

Using certbot to generate a certificate for andersonquigley.com, which works great.

However, doing an SSL test on sslabs tells me that the certificate chain is incomplete
https://www.ssllabs.com/ssltest/analyze.html?d=andersonquigley.com

I set up the apache vhost with:
SSLCertificateFile /etc/letsencrypt/live/andersonquigley.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/andersonquigley.com/privkey.pem

fullchain contains 2 -----BEGIN/END CERTIFICATE----- certificate blocks.

Any ideas what the problem could be?

_az · February 20, 2019, 9:29am

It sounds like you are using an old-ish version of Apache httpd.

Combined certificate format (fullchain.pem) support was introduced in Apache 2.4.8.

You’ll probably need to add:

SSLCertificateChainFile /etc/letsencrypt/live/andersonquigley.com/chain.pem

coxmichael · February 20, 2019, 9:36am

Thanks for the quick response.
That seems to have done it!

Weird, as I’m using apache 2.4.7:

$ apachectl -v
Server version: Apache/2.4.7 (Ubuntu)

$ certbot --version
certbot 0.26.1

coxmichael · February 20, 2019, 9:36am

Ah yes, sorry version number is lower!

_az · February 20, 2019, 9:36am

1 patch level higher and your version would have worked, haha .

system · March 22, 2019, 9:42am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.