Incomplete, Extra intermediate chain certificate

Hi,

I'm having some issue to share my website link on facebook, we are receiving the Erro Curl: 60 (SSL_CACERT).

This error appeared at the beginning of this month, so with SSL Labs, we realised that there is some problem with the intermediate certificate.

I was looking for some solution in your forum and some people suggested to change cert.pem for the fullchain.pem in SSLCertificateFile, but I'm using the Virtualmin Console to generate and renew the SSL certificate automatically with Let's Encrypt and when I renew the SSL all the certificates are update in home folder:

I tried to replace to ssl.cert with the ssl.everything, but it didn't solve the issue, do you have any idea how can I fix it?

My domain is: www.handi-occasion.com/

The operating system my web server runs on is (include version): Debian Linux 8

Apache version: 2.4.10

My hosting provider is: Webmin

I can login to a root shell on my machine: no

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): yes

2 Likes

Hi and welcome to the LE community forum.

The SSL Labs page shows the complete problem:


The cert is signed by R3, but the server is serving the X3 intermediate cert instead.

Which ACME client (and version) did you use?
Webmin Control Panel?
It may need an update.

4 Likes

Welcome to the Let's Encrypt Community :slightly_smiling_face:

Going along with what Rudy (@rg305) said:

4 Likes

Lucas may not have enough access to make such changes :frowning:
Step #1: Contact the system admin and make them aware of the problem.
[It should be causing problems for all LE users on that system (once their certs renew)]

3 Likes

Webmin (and thus Virtualmin) used to hardcode the intermedate if certbot wasn't installed on the server and the acme-tiny client was used. This was bad design on their part. See:

Because you don't have root access to your server, this is something your hosting provider needs to fix.

4 Likes

Hi guys,

Thanks a lot for the help, I'm using the Webmin Control Panel and I updated some packages but I still have the problem with incomplete intermediate certificate, now I'm using the version 1.962 of Webmin and 6.14 of Virtualmin.

I think Osiris and Rudy are right I will try to contact Virtualmin, to see if they can fix it, I will let you know if I found any solution.

3 Likes

Thanks guys! I just download the certificate authority and add it manually, I used the certificate: https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem as @Osiris indicates in his answer. Now it is working :grinning:

4 Likes

Note that manually changing the intermediate this time does not give you any guarantee your site keeps working in the future, as changes in the intermediate could happen at any time without any warning (in case of an incident with the current intermediate for example).

Hopefully the webmin fix will be in a future release and hopefully a simple upgrade of your webmin/virtualmin will suffice.

4 Likes

I report this issue to Virtualmin, hope they will fix it, but I will take care, thank you!

3 Likes

It's ready fixed, but this fix is probably not yet released. And would only come in effect after a next renewal.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.