Incorrect order and Extra certificate error

flowmtl · January 12, 2016, 11:10pm

Hi guys,

I’m having an issue with my new Let’s Encrypt certificate. I’m using Apache 2.4.18, and I followed the tutorial to create my certificate as follows :

./letsencrypt-auto certonly --standalone -d mywebsite.com -d www.mywebsite.com

The Qualys SSL Labs test tells me that 3 certificates are provided (most websites running a Let’s encrypt certificate have only 2), and gives me the following error : Chain issues - Incorrect order, Extra certs

When I check the detail of the certificates on Let’s encrypt, I see that Certificate #1 and #2 are exactly identitcal (same fingerprint, same sha256…)

Certificate 1
Subject mywebsite.com
Fingerprint SHA1: dku23dku23dku23dku23dku23dku23dku23dku23
Pin SHA256: OmDLmDLmDLmDLmDLmDLmDLmDLmDLmDLmDLmDLV
Valid until Mon, 11 Apr 2016 21:06:00 UTC (expires in 2 months and 29 days)
Key RSA 4096 bits (e 65537)
Issuer Let’s Encrypt Authority X1
Signature algorithm SHA256withRSA

Certificate 2
Subject mywebsite.com
Fingerprint SHA1: dku23dku23dku23dku23dku23dku23dku23dku23
Pin SHA256: OmDLmDLmDLmDLmDLmDLmDLmDLmDLmDLmDLmDLV
Valid until Mon, 11 Apr 2016 21:06:00 UTC (expires in 2 months and 29 days)
Key RSA 4096 bits (e 65537)
Issuer Let’s Encrypt Authority X1
Signature algorithm SHA256withRSA

Certificate 3 is the Let’s Encrypt Authority X1 certificate. Nothing special here.

httpd.conf is configured as follows :

Listen 443
<VirtualHost :443>
** Documentroot /var/www/html/mywebsite.com*
** ServerName mywebsite.com**
** ServerAlias www.mywebsite.com**
** SSLEngine on**
** SSLCertificateFile /etc/letsencrypt/live/mywebsite.com/cert.pem**
** SSLCertificateKeyFile /etc/letsencrypt/live/mywebsite.com/privkey.pem**
** SSLCertificateChainFile /etc/letsencrypt/live/mywebsite.com/fullchain.pem**
** Header always set Strict-Transport-Security “max-age=63072000; includeSubdomains; preload”**

Am I missing something here?

sahsanu · January 12, 2016, 11:44pm

Hello @flowmtl,

As you are using Apache 2.4.18, remove SSLCertificateChainFile directive and change SSLCertificateFile to link fullchain.pem instead of cert.pem. Reload Apache and try again.

Cheers,
sahsanu

flowmtl · January 13, 2016, 12:28am

Hello @sahsanu

Thank you so much!!! That solves the issue

Geremia · October 13, 2016, 4:50pm

This isn’t a big issue; see this: https://community.qualys.com/docs/DOC-1931

cool110 · October 13, 2016, 5:09pm

No, that is correct for Apache 2.4, a separate cert and chain was only required for 2.2 and older.

Shnoulle · July 3, 2017, 1:50pm

And with apache 2.2 , do you know if there are a solution (except update to apache 2.4)

mnordhoff · July 3, 2017, 2:10pm

SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

You just need to use chain.pem instead of fullchain.pem to avoid duplicating the certificate. Works fine in Apache 2.2 (and 2.4, despite being deprecated).

Shnoulle · July 3, 2017, 3:21pm

Yep, i’m a little silly here , sorry and thanks

baoang · March 10, 2018, 3:52am

Got the same problem under nignx. I am using Vesta control panel together with LE. After the reinstallation of the whole system, CentOS, and a recovery of LE into Vesta’s website config input boxes (there are three blank boxes for key, cert and pem input), I found from ssllabs server check that mine was Incorrect order and Extra cert. Well, then, I deleted one block of the two from the pem, the 3rd boxes which actually is SSL Certificate Authority / Intermediate (optional), and conducted a second check via ssllabs. This time, the alert info disappeared with the following msg.

    |Certificates provided|2 (2705 bytes)|
    |---------------------|--------------|
    |    Chain issues     |    None      |

Well, I believe what I have deleted was the optional part (of that intermediate).