Chain is not working


I today installed SSL certificates on my site. I checked if everything’s OK at SSL Shopper and it says that Chain is not complete.

How to fix it? Thanks.

Could you give us a bit more background on how you installed these on your site? The suggested questions you were presented with when you made the topic give us a lot of information needed to help you. That message is telling you that you’re not presenting the full certificate chain, but depending on your setup you’ll either need to use fullchain.pem, or cert.pem and chain.pem in different places.

Yeah, sure!

I installed my site by adding DNS and my site is using Cloudflare also.
When setup was completed, I used the certificate provided, not that CA bundle (because it wasn’t working).

Could you please tell me where I can find my root certificate?

What certificate filenames do you have?

What do you mean by ‘filenames’? I simply used certificate not CA bundle.

Many Let’s Encrypt clients will generate multiple files, e.g. fullchain.pem as well as cert.pem.

Most of the time (such as with nginx or Apache web servers), you should use fullchain.pem as it contains both the certificate and the intermediates. Using cert.pem would just lead to the incomplete chain problem you have today.

What happened when you tried to use fullchain.pem? It is the correct choice, but if you experienced problems with it, that’s where you should focus your attention.

To directly answer your question, all of the intermediates and roots are available from You most likely want “Let’s Encrypt Authority X3 (IdenTrust cross-signed)”. There is no point bundling any of the roots, since they are trust anchors anyway.

You may also want to tell us what your domain is and how you obtained the Let’s Encrypt certificate, so we can give you more specific answers.

I’ve verified my page by DNS, and here’s what I’ve got in the result - certificate and CA bundle. Certificate works fine, but CA bundle is not working.

And when I download SSL files, I see only ca_bundle.crt, private.key and certificate.crt.
I use which uses Let’s Encrypt.


You can replicate fullchain.pem by appending the CA bundle to the end of the certificate. But this depends how you use them in your web server (the specific configuration directives).

You might try to be much more specific in your responses. How are you configuring the certificate and bundle on your web server, what errors do you get, if any, what is your domain name?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.