Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
ingest.wmssfm.com
I ran this command:
https://www.ssllabs.com/ssltest/analyze.html?d=ingest.wmssfm.com
It produced this output:
Chain issues Incorrect order, Extra certs
My web server is (include version):
Apache, 2.4.62
The operating system my web server runs on is (include version):
Debian Linux 12 Bookworm
My hosting provider, if applicable, is:
None - Self-hosted
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 3.0.1
In my SSL configuration for the site, I have the following:
<VirtualHost *:443>
SSLEngine on
ServerName ingest.wmssfm.com
ServerAlias nextcloud.wmssfm.com
SSLCertificateKeyFile /etc/letsencrypt/live/ingest.wmssfm.com/privkey.pem
SSLCertificateFile /etc/letsencrypt/live/ingest.wmssfm.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/ingest.wmssfm.com/fullchain.pem
# enable HTTP/2, if available
Protocols h2 http/1.1
# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
Header always set Strict-Transport-Security "max-age=63072000"
Alias / "/var/www/nextcloud/"
<Directory /var/www/nextcloud>
Require all granted
AllowOverride All
Options Indexes FollowSymLinks
Satisfy Any
<IfModule mod_dav.c>
Dav off
</IfModule>
</Directory>
</VirtualHost>
# intermediate configuration
SSLProtocol TLSv1.2 TLSv1.3
SSLOpenSSLConfCmd Curves X25519:prime256v1:secp384r1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder on
SSLSessionTickets off
When I use the SSL Labs test or the Namecheap SSL checker, I see an extra certificate in the chain, which is flagged as a chain issue.
I see the ingest.wmssfm.com certificate, followed by an ingest.wmssfm.com certificate, followed by the E6 certificate.
What is the second certificate? Is there something I can look at or change to fix the issue?
My original issue was sometimes seeing an error about not being able to get the issuer of the certificate. Found another post in the forum about that, which led me to note the fullchain.pem was not called out in my SSL configuration for the site. Fixed that, and now I have this.
If it matters, I am using certbot to do the HTTP challenge instead of the DNS challenge, as I cannot access my hosting provider DNS to create the challenge record. I just learned of ACME-DNS, and will have to see about giving that a try. I would need to figure out the firewall routing, though, for an external query to that server as I only have a limited number of public static addresses, and they are all in use already.