Hardenize.com reports: Certificate chain is incorrect

I've used hardenize.com to validate grimstveit.no for mta-sts, which makes https requests towards https://mta-sts.grimstveit.no/.well-known/mta-sts.txt

Hardenize.com reports big issue while scanning: "Certificate chain is incorrect. This certificate is delivered as part of an incorrect certificate chain. The problems in the chain render the certificate invalid too. Although some clients (typically browsers) are able to fix or rebuild certificate chains, it's generally not safe to assume that all browsers can."

My domain is: grimstveit.no

I used this website: Hardenize Report: grimstveit.no

It produced this output: Certificate chain is incorrect

My web server is: apache24-2.4.48

The operating system my web server runs on is: FreeBSD

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is: acme.sh-2.9.0_1 (from ports)

acme.sh --version

All help is greatly appreciated.

1 Like

Hello @jakobbg,

Indeed, there are some issues with your certificate chain; your server sends leaf certificate twice:

Certificate chain
 0 s:/CN=grimstveit.no
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/CN=grimstveit.no
   i:/C=US/O=Let's Encrypt/CN=R3
 2 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 3 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

I'm not 100% sure how acme.sh stores certificates it obtains, but I guess it provided you with cert.pem, chain.pem and fullchain.pem (or something like that). If you are using both SSLCertificateFile and SSLCertificateChainFile directives in your Apache config, you want to use cert.pem and chain.pem respectively. Otherwise, you should use only SSLCertificateFile with fullchain.pem (note that SSLCertificateChainFile is deprecated in Apache 2.4, so you should probably go with second option anyway).

"Fullchain" file is a concatenation of cert and chain files; if you use SSLCertificateFile and SSLCertificateChainFile directives, files specified get concatenated "on the fly" (which leads to chain issues if you happen to set SSLCertficateFile to cert.pem and SSLCertificateChainFile to fullchain.pem).


Please show the vhost config that is using the cert.

It should be using something like this:

ssl_certificate      /root/.acme.sh/{your.domain}[_ecc]/fullchain.cer;
ssl_certificate_key  /root/.acme.sh/{your.domain}[_ecc]/{your.domain}.key;

[note: those are in nginx format]

1 Like


Welcome Back to the Let's Encrypt Community, Jakob :slightly_smiling_face:

Indeed, @damisanet has identified the issue. I suspect that fullchain.pem is being used instead of chain.pem in an SSLCertificateChainFile directive.

Regarding the SSLCertificateChainFile directive deprecation, @damisanet is on target as well, though the point number (x.y.z) is also significant.

Per mod_ssl - Apache HTTP Server Version 2.4 :

SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.


Agreed, if that is being used, then you have probably upgraded the original Apache config well past its' usefulness.
SSLCertificateChainFile should not be in use in Apache 2.4.48.
You should review your config for such inconsistencies.


You are truly wizards. Thank you! One error and one depreciated configuration solved!

I've now set SSLCertificateFile to point to the fullchain file and removed the use of SSLCertificateChainFile altogether. As you correctly pointed out this config is not new, it has evolved the last 10-20 years, I believe :smiley:. My Apache config is now as follows;

grep grimstveit /usr/local/etc/apache24/extra/httpd-ssl.conf|grep SSL|grep -v ^#
SSLCertificateFile "/var/db/acme/certs/grimstveit.no/fullchain.cer"
SSLCertificateKeyFile "/var/db/acme/certs/grimstveit.no/grimstveit.no.key"

Case can be closed, thank you all for the great help!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.