Intermediate/chain certificate Error

b1bartels · May 25, 2017, 4:25pm

Hey Community,

i’m running some websites with lets encrypt ssl certificates. I builded the certificates on a second linux machine and got these files:

My domain is: www.valtaxa.de

cert.pem
chain.pem
fullchain.pem
privkey.pem

And my hosting provider panel needs 3 files for every domain added to the panel. I can add these files:

SSL-Certificate
SSL-Intermedite Certificate
SSL Private Key

I try to use the chain.pem file as intermediate and the root file from the lets encrypt website (https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt) but my website is still not shown on facebooks inapp browser (SSL Error).

https://www.sslshopper.com/ssl-checker.html#hostname=https://www.valtaxa.de

shows me The
certificate is not trusted in all web browsers. You may need to install
an Intermediate/chain certificate to link it to a trusted root
certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.

Can anyone give me an advice to fix it?

Thanks in advance.

My web server is (include version): latest apache

The operating system my web server runs on is (include version): managed linux

My hosting provider, if applicable, is: 1&1

I can login to a root shell on my machine (yes or no, or I don’t know): no

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): 1und cloud panel

Osiris · May 25, 2017, 4:48pm

Your webserver/hoster indeed doesn’t send the intermediate.

It isn’t necessary to include the root certificate. It should be enough to upload chain.pem as the intermediate certificate on your panel.

b1bartels · May 25, 2017, 5:02pm

there an extra field for intermediate certificates but it wont work if i add the chain or fullchain file. Is there no other option? Did you think it is a bug of my provider?

schoen · May 25, 2017, 6:20pm

The chain.pem file contains the intermediate certificate. If it’s not accepted by the provider, that does seem like a bug on their end!

b1bartels · May 26, 2017, 6:15am

Isn it possible that my hoster require a file that only contains the intermediate certificate? I can upload the chain file as SSL Certificate file too so i think it contains other information too. Its hard for me to beleave tht this is a bug on 1&1’s side, because it is a really big provider and indtalling an ssl cert is a rly trivial thing ^^

Best whishes and thanks for fast reply

schoen · May 26, 2017, 6:38am

The chain.pem contains only the intermediate certificate, so if they require a file that contains only the intermediate certificate, that file should work.

The fullchain.pem contains both the end-entity certificate (your certificate) and the intermediate certificate in one file, so if they require a file that contains both together, that file should work.

Given that you have the private key in privkey.pem, there’s no other information that should be necessary for a hosting provider.

sahsanu · May 26, 2017, 6:44am

Hi @b1bartels,

As @schoen and @Osiris said;

SSL-Certificate --> cert.pem 
SSL-Intermedite Certificate --> chain.pem
SSL Private Key --> privkey.pem

If you put those files in the corresponding fields, they should work. Remember that you need to restart/reload your web server (don't know if the panel does it automatically after adding a cert).

If that doesn't work, try to use the fullchain.pem (contains your cert and the intermediate cert) as the SSl-Certificate.

SSL-Certificate --> fullchain.pem 
SSL-Intermedite Certificate --> left this field empty
SSL Private Key --> privkey.pem

And if that doesn't work, contact 1&1 support team, they must know what is happening with their panel.

Good luck,
sahsanu

b1bartels · May 26, 2017, 7:18am

Thanks for your help, it really looks like a bug.

system · June 25, 2017, 7:19am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.