Chain.pem with two entries - DST Root CA X3 deprecate


Information needed
openssl version: 1.0.1t
certbot 1.9.0

I have a concern since the expiration regarding DST Root CA X3.

When the SSL certificate is renewed, this is what one of our users has about the certificate for our domain "" as a message.

When I look at the chain.pem (see content below) and fullchain.pem files, I have since DST Root CA X3 expired two different entries in these files. The first one must be the default chain I suppose and the other the alternative chain according to expiration-d54a018df257 or Production Chain Changes.

Contents of my chain.pem file:

If I delete the second chain from the chain.pem and fullchain.pem files then it is no longer a problem as we can see below

However if I understood correctly, the first chain is the default chain which contains (Default chain: End-entity certificate ā† R3 ā† ISRG Root X1 ā† DST Root CA X3) and the second is the alternative chain which contains (Alternate chain : End-entity certificate ā† R3 ā† ISRG Root X1) so by removing the second string, the user should still get the message right? There is something that I did not understand!

Is there a way to know for sure that it is the default chain and the alternate chain in chain.pem and fullchain.pem files?

This is what the command gives after removing the second chain from chain.pem and fullchain.pem files:

openssl s_client -servername -showcerts -connect
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN =
verify return:1

Certificate chain
0 s:/
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/
i:/C=US/O=Let's Encrypt/CN=R3
2 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1

Server certificate
issuer=/C=US/O=Let's Encrypt/CN=R3

No client certificate CA names sent

SSL handshake has read 4463 bytes and written 447 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Master-Key: 584D837005A1D1B76A20154CC6B2C75AFE7D4392212DB2
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1640614264
Timeout : 300 (sec)
Verify return code: 0 (ok)

Thanks for your help.

What message are they seeing exactly? And, can you describe what client (browser?) they are using and what version and oper sys it is on?

Yes, you generally understand it correctly. For more details about the long and short chain see:


chain.pem and fullchain.pem are containing the same signing certificate chain. The only difference is that the fullchain.pem contains the leaf certificate at the beginning in addition to. They are not alternates.


Sorry I forgot the screenshot.

That is a normal display from SSL Labs. Try SSL Labs with this website name.

The path #1 shows a trusted path and will be used by (most) browsers. There are exceptions for older or unusual clients. If someone is having a problem with some client can you provide more info about the program they are using?


Yes Yes. in fact fullchain.pem contains the key of cert.pem + the key of chain.pem. What I have is two entries + a third entry since in the chain.pem file there are two keys, the default one it seems and the alternative chain so I have three entries in fullchain. pem

So my question is:
Is it normal that I have two keys in chain.pem? And how can we know which is the default chain and which is the alternative chain?
Thank you

You are seemingly using the term key in place of certificate. Please be a bit more precise in the terminology. It is important, because you really have one more file, which is the file containing the key for the leaf certificate.

Yes, it is normal to have two certificates in the chain.pem file.

In the concrete case that must be the default chain (both in the chain.pem and fullchain.pem file).

In the general case you can only know from the settings of your ACME client what chain it is configured to download from the ACME server at the time of the issuance of the requested certificate.




This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.