GTmetrix scan error on HTTPS

Hi! When I try to run a GTmetrix scan analysis, the process is aborted and return this message:

Analysis Error
The SSL certificate for this site is not trusted in all web browsers
You may have an incorrectly installed SSL certificate. Check your SSL certificate at SSLShopper.

When go to SSLShopper SSL Checker, the message is:

The certificate is not trusted in all web browsers.
You may need to install an Intermediate/chain certificate to link it to a trusted root certificate.

Also gives me a “B” rating because:

This server’s certificate chain is incomplete. Grade capped to B.
This site works only in browsers with SNI support.

But scanning “” URL there is no error in both test mentioned above.
I saw one similar topic here, but I don’t know if it is the right solution for me:

Please, how can I fix my certificate to be accepted on GTmetrix and receive A grade on SSL test?

Best regards!

What's the URL you're checking? Being able to see the cert presented would help greatly. Do you get any errors when navigating to your site in a browser?

This part

means that you didn't create the full certificate chain with intermediary certificates. Are you using certbot? If so, which file are you pointing your web server to? You should have cert.pem, chain.pem, and fullchain.pem.

We could also use knowing what web server you're trying to configure to help you with anything related to server configs.

Web sites need to be configured to serve intermediate certificates which identify the certificate authority that issued the certificate. These are also called “chain” certificates; together with the end-entity certificate that identifies your web site, they form the certificate chain that allows someone connecting to the site to verify the path from a trusted root certificate authority to the site itself.

Forgetting to serve intermediate certificates can be a hard-to-notice and hard-to-diagnose problem because browsers often cache intermediate certificates that they’ve seen before and use them in case a particular site forgets to serve them. Thus, a misconfigured site can work fine in some browsers, but not others.

The way to serve the complete chain depends on what server software you’re using. When Let’s Encrypt issued your certificate, it gave you the appropriate intermediate certificate that needs to be served, but you might not have configured your web server to use it, or whatever software set up your web server for you may not have done so.

Hi! Thanks for replying… The URL I’m checking is:

The SSL certificate was installed following Hostinger tutorial (my host):

When I was going to follow the instructions from Lets Encrypt site, the host support team told me to follow their own tutorial above.

Should I do all again but following Lets Encrypt tutorial instead?


Thanks for sharing the tutorial that you followed.

The problem here appears to be the step where you upload the certificate data, where they leave the CA bundle field blank because of the user interface notice that

“In most cases, you do not need to supply the CA bundle because the server will fetch it from a public repository during installation.”

Apparently this is incorrect in practice because the server apparently did not fetch the CA bundle from the public repository. Therefore, it would probably work better if you provided it. In this context, the CA bundle should be the same thing as the intermediate certificate or chain certificate. You might have this available as the 2nd item in fullchain.pem, or possibly in a file called chain.pem.

Thank you! Now I understand what you said.
I tried to generate a new certificate to get the 2nd item from fullchain.pem (it also generetad chain.pem).
But when adding the new certificate manually in my host, the message says “Private key doesn’t match the Certificate”.
Strange because I’m getting all new data from the just generated files (cert.pem, chain.pem, fullchain.pem, key.pem).
Please, how can I fix this incompatibility between Private key and Certificate when generating again?

This incompatibility shouldn’t exist.

I obviously don’t want you to post your private key itself here, but can you post the output of running the following commands?

openssl x509 -in cert.pem -text -noout

openssl rsa -in key.pem -modulus -noout

(You said key.pem rather than privkey.pem, although Certbot would normally call this file privkey.pem.)

Sure… I’m not using Certbot, but following the above Hostinger tutorial. On cert.pem:

Version: 3 (0x2)
Serial Number:
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
Not Before: Jul 25 17:49:00 2017 GMT
Not After : Oct 23 17:49:00 2017 GMT
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
X509v3 Subject Key Identifier:
X509v3 Authority Key Identifier:

        Authority Information Access:
            OCSP - URI:
            CA Issuers - URI:

        X509v3 Subject Alternative Name:
        X509v3 Certificate Policies:
              User Notice:
                Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at

Signature Algorithm: sha256WithRSAEncryption

On key.pem:


That’s definitely a mismatch. The moduli of the corresponding public and private keys will always match. For some reason, that PHP-based ACME client they have you using is not saving the files as expected. You might try backing up and clearing out that directory, and running it again. A cursory look at the code indicates it looks at an ini file for configuration information - it’s possible something got messed up here.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.