The issue I encountered is that when I query my domain name through crt.sh, I find that the summary is "precertificate" instead of "Leaf certificate". Why is it not the Leaf certificate? When I check the corresponding fullchain.pem, I notice that it has one segment less than before. Please tell me how to fix this problem.
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/axesdn.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/axesdn.com/privkey.pem
Your cert will expire on 2024-07-02. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
"certbot renew"
I encountered an issue where previously, when I applied for a certificate, the fullchain.pem would contain three segments of certification. However, with the latest certificate I generated, it only contains two segments of certification. I'm confused about what's happening, and I'm unsure if the certificate obtained this way can still be used. Please help me.
crt.sh usually shows both. Perhaps you can't see the leaf cert yet due to being backlogged (see https://crt.sh/monitored-logs for backlog).
Unless there's an error shown, your certificate from the Let's Encrypt ACME server will be the leaf certificate, so please stop issuing more and more certificates. You've gotten quite a few now.
Thank you very much for your response. I am a beginner, and there are some questions I still don't understand.
I use the same command to execute every three months (previously operated by other colleagues). This time after I executed it, the content of the fullchain.pem file is missing the following compared to before. I'm not sure if there was a problem with my application operation this time? Why is it different from before?
It's entirely normal for your full chain to have less certificates now. Let's Encrypt now default to a shorter chain. In the coming months some of the intermediate certificates will change again but you should just use what the app gives you, it will take care of including the correct intermediate certificates required by the certificate chain.
Some people do custom stuff where they try to compose the chain file themselves using files they've gotten previously, and that would not be a good idea.
This is all explained in the API announcement I linked above and the, in that announcement, linked blog post.
I'm not sure how it can be explained better. If you don't understand the announcement/blog post, perhaps you can asked detailed questions about parts you don't understand?