Certificate update issue

The issue I encountered is that when I query my domain name through crt.sh, I find that the summary is "precertificate" instead of "Leaf certificate". Why is it not the Leaf certificate? When I check the corresponding fullchain.pem, I notice that it has one segment less than before. Please tell me how to fix this problem.

My domain is: axesdn.com
I ran this command: 'certbot -d axesdn.com -d *.axesdn.com --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory certonly'

It produced this output:

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/axesdn.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/axesdn.com/privkey.pem
    Your cert will expire on 2024-07-02. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    "certbot renew"

The version of my client is :certbot 0.31.0

I encountered an issue where previously, when I applied for a certificate, the fullchain.pem would contain three segments of certification. However, with the latest certificate I generated, it only contains two segments of certification. I'm confused about what's happening, and I'm unsure if the certificate obtained this way can still be used. Please help me.

crt.sh usually shows both. Perhaps you can't see the leaf cert yet due to being backlogged (see https://crt.sh/monitored-logs for backlog).

Unless there's an error shown, your certificate from the Let's Encrypt ACME server will be the leaf certificate, so please stop issuing more and more certificates. You've gotten quite a few now.

Please see:

3 Likes

Thank you very much for your response. I am a beginner, and there are some questions I still don't understand.
I use the same command to execute every three months (previously operated by other colleagues). This time after I executed it, the content of the fullchain.pem file is missing the following compared to before. I'm not sure if there was a problem with my application operation this time? Why is it different from before?

-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----

1 Like

It's entirely normal for your full chain to have less certificates now. Let's Encrypt now default to a shorter chain. In the coming months some of the intermediate certificates will change again but you should just use what the app gives you, it will take care of including the correct intermediate certificates required by the certificate chain.

Some people do custom stuff where they try to compose the chain file themselves using files they've gotten previously, and that would not be a good idea.

3 Likes

This is all explained in the API announcement I linked above and the, in that announcement, linked blog post.

I'm not sure how it can be explained better. If you don't understand the announcement/blog post, perhaps you can asked detailed questions about parts you don't understand?

3 Likes

"Thank you very much for your response, I completely understand now. Thanks."

3 Likes

Thank you for the constructive sarcasm!

1 Like