Fullchain.pem contains an invalid Intermediate


Running Certbot from a HAProxy server. Version details as follows:

Certbot version: 0.40.0
OS: Ubuntu 20.04.4 LTS
HAProxy: version 2.4.17-1ppa1~focal, released 2022/05/14

Only just recently realised that something very unexpected is happening. When we're generating a new cert. let's say for example for a brand new customer such as backoffice.viajesmax.com it created the usual files in /etc/letsencrypt/live/backoffice.viajesmax.com

So that is to say,

README, cert.pem, chain.pem, fullchain.pem, privkey.pem

When inspecting the contents of fullchain.pem this is what is included.

From top to bottom,

  1. Actual server certificate
  2. Valid Intermediate Cert
  3. Invalid Intermediate Cert

I will attach a screenshot of what number 3 (bottom cert of fullchain.pem looks like). I don't understand why this would be happening.

Why would Certbot try to add this to the end of fullchain.pem ? I can't seem to work it out. It looks like an old Intermediate Cert that still references the expired DST Root CA.

Is it something on our HAProxy server that is causing Certbot to do this maybe?

That is absolutely normal and expected. The expired intermediate provides support for older Android devices. Most more modern devices will build a trust chain from the R3/ISRG intermediate to a trusted ISRG CA root and stop there. You can see these two paths using a test site like SSLLabs.com.

Let's Encrypt also offers a "short chain". Certbot versions 1.12 and later support that with the preferred-chain option. You can read more about the pros and cons of each here


Thank you!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.