Fullchain.pem and chain.pem are identical

Hello,
I have generated the certificate for my domain using the following command:
sudo certbot certonly --manual --preferred-challenges http -d mydomain.co.uk,www.mydomain.co.uk

Now, I have noticed that the chain.pem and fullchain.pem files are identical, and I noticed this because I receive an error when I try to upload the certificates in AWS (Amazon Web Services) Certificate Manager.

Any idea why this is happening?
Thank you

1 Like

Hi @Mev, and welcome to the LE community forum :slight_smile:

Please show the directory listing the two files.
[I'm pretty sure they aren't equal and their sizes should make this apparent]
ls -l /etc/letsencrypt/mydomain.co.uk/

3 Likes

Better ls -l /etc/letsencrypt/archive/mydomain.co.uk/ here—the certificate storage directory won't be directly, immediately under /etc/letsencrypt.

3 Likes

Hello, and thanks for your replies.

So, the ls command returns different file sizes:
lrwx--x--x+ 1 root wheel 40 10 May 11:04 chain.pem -> ../../archive/mydomain.co.uk/chain1.pem lrwx--x--x+ 1 root wheel 44 10 May 11:04 fullchain.pem -> ../../archive/mydomain.co.uk/fullchain1.pem

however, if I
cat chain.pem and cat fullchain.pem and paste both in a text editor, they are exactly the same.

to confirm this, I have ran:
git diff /private/etc/letsencrypt/live/mydomain.co.uk/fullchain.pem /private/etc/letsencrypt/live/mydomain.co.uk/chain.pem

and this is the result:
`diff --git a/private/etc/letsencrypt/live/mydomain.co.uk/fullchain.pem b/private/etc/letsencrypt/live/mydomain.co.uk/chain.pem
index 41a561a..f64a40f 120000

--- a/private/etc/letsencrypt/live/mydomain.co.uk/fullchain.pem
+++ b/private/etc/letsencrypt/live/mydomain.co.uk/chain.pem

@@ -1 +1 @@
-../../archive/mydomain.co.uk/fullchain1.pem
\ No newline at end of file
+../../archive/mydomain.co.uk/chain1.pem
\ No newline at end of file`

Their content is the same.

I solved my issue by using the help of this website: https://whatsmychaincert.com/
and by pasting the certificate I was able to generate a chain (from which I just had to remove the leaf certificate part at the beginning and leave only the intermediate part at the end).
No errors from Amazon after doing this, and the certificate is running on my domain correctly.

I just don't understand why I wasn't able to use the certificates created by certbot.. I guess the chain.pem includes some extras (and it looks the same as the fullchain.pem)

2 Likes

Welcome to the Let's Encrypt Community :slightly_smiling_face:

I might have an idea of what's happening.

What is the output of this command?

sudo certbot --version

1 Like

Hello, thank you for your help.

I have: certbot 1.14.0
I am using a Macbook Pro with Apple M1 chipset on Mac OS Big Sur 11.2.3.

Looking forward to understand what's happening :slight_smile:

2 Likes

What are the current outputs of these commands?

sudo ls -lRa /etc/letsencrypt/archive/mydomain.co.uk
sudo ls -lRa /etc/letsencrypt/live/mydomain.co.uk
1 Like

Hello, sorry I did not receive your notification.

The first command's output is:
total 40
drwxr-xr-x 6 root wheel 192 10 May 11:22 .
drwx------ 3 root wheel 96 10 May 11:04 ..
-rw-r--r-- 1 root wheel 1874 10 May 11:04 cert1.pem
-rw-r--r-- 1 root wheel 3749 10 May 11:04 chain1.pem
-rw-r--r-- 1 root wheel 5623 10 May 11:04 fullchain1.pem
-rw------- 1 root wheel 1704 10 May 11:04 privkey1.pem

The second command's output is:
total 8
drwx------+ 7 root wheel 224 10 May 11:04 .
drwx------+ 5 root wheel 160 10 May 11:26 ..
-rw-------@ 1 root wheel 692 10 May 11:04 README
lrwx--x--x+ 1 root wheel 39 10 May 11:04 cert.pem -> ../../archive/mydomain.co.uk/cert1.pem
lrwx--x--x+ 1 root wheel 40 10 May 11:04 chain.pem -> ../../archive/mydomain.co.uk/chain1.pem
lrwx--x--x+ 1 root wheel 44 10 May 11:04 fullchain.pem -> ../../archive/mydomain.co.uk/fullchain1.pem
lrwx--x--x+ 1 root wheel 42 10 May 11:04 privkey.pem -> ../../archive/mydomain.co.uk/privkey1.pem

Thank you very much for your help!

2 Likes

As you can clearly see from the file sizes, those two files cannot be the same.

I noticed you're using the /private/ directory earlier, I assume you used that directory this time too? Or are there two letsencrypt directories?

2 Likes

OK , then also, what about:
ls -l /private/etc/letsencrypt/live/mydomain.co.uk/fullchain.pem
ls -l /private/etc/letsencrypt/live/mydomain.co.uk/chain.pem

1 Like

git diff analyzes the two files you listed for their uncommitted changes.

diff would analyze the two files you listed for differences between each other.

diff -git is an artifact on the commandline from when you invoke git diff. under the hood it does some magic that is not worth getting into.

fullchain.pem contains chain.pem, so that may have been confusing to you as well. as @Osiris pointed out, the file sizes are not identical and therefore their contents cannot be the same.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.