Invalid or missing intermediate (bundle) certificate

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
mdehr.org

I ran this command:
whynopadlock.com

It produced this output:
You have an invalid or missing intermediate (bundle) certificate. This may not break your padlock on all browsers, but will on others. Please contact your SSL Vendor for assistance with this error.

My web server is (include version):
Apache 2.4.29

The operating system my web server runs on is (include version):
Ubuntu 18.04

My hosting provider, if applicable, is:
DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
0.31.0

2

Hi @rustyduckmd and welcome to the LE community forum :slight_smile:

Unfortunately I can't check your IP directly because it was recently block listed - mad fw :frowning:
That said, if the IP is rather new to you, you might not have to worry to much about system compromise.
But in any event you should review it and have it removed from any block lists:
MultiRBL.valli.org - Results of the query 167.99.148.235

3

Using alternate testing systems, I do see the default/long chain in use:

-----BEGIN CERTIFICATE-----
MIIFKTCCBBGgAwIBAgISBNBlqYisfBzU0sEbAXfUTzvOMA0GCSqGSIb3DQEBCwUAMDIxCzAJBgNV
BAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJSMzAeFw0yMTExMDEwMTE4
MTNaFw0yMjAxMzAwMTE4MTJaMBQxEjAQBgNVBAMTCW1kZWhyLm9yZzCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAK1XiY/fCtbDsi7C5g9X66mS82RtMdHDU6CxRPCnPnMj/pMW/fKMP4Mq
gtu4fiyHBRu2O1dbnHr4TvsLW9Vy3WVLlfeW+fhjITdB1Ypn2kTKoigLcNkBphz4ag62Xc8ZM/BX
O7cEF6ainaIeEEp4rCvhscl7+ybLJ0u7mgh0F6cs5F3yNXOZpAkF4r9mBdUMurVMMcDq6aYK4zuh
9ScraNNba6DMenno8SsFKeUGu03cs4i4kZIj3DVfw26AUcNteOwJBBPo+G/VuhSUA/y7be5y7bDT
9IY7CqQZ/fpugMRAHkxzPbQgDzZ72x6KPelGVjsa5+LHt1wgXyjGumW29skCAwEAAaOCAlUwggJR
MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/
BAIwADAdBgNVHQ4EFgQUyDrUU+Ng1iQchnQnLynf8AzGnmgwHwYDVR0jBBgwFoAUFC6zF7dYVsuu
UAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5j
ci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wIwYDVR0RBBwwGoIJbWRl
aHIub3Jngg13d3cubWRlaHIub3JnMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEB
MCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBgYKKwYBBAHWeQIE
AgSB9wSB9ADyAHcARqVV63X6kSAwtaKJafTzfREsQXS+/Um4havy/HD+bUcAAAF82Uo9DgAABAMA
SDBGAiEAnfWhFqoYOzKS/C2xGkRPrqxYQvye9v0dSIGJeRiglloCIQDKkizZhqNLNU4m5cRQqIHN
rbzaLTGzAnsU3UpgOywyFAB3AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABfNlK
PeMAAAQDAEgwRgIhAOrpFHIvJo/JUXDw8XG84hhn6kWNBhrl6OJqx2gQFhZMAiEAmu8aBQCKfrGP
YpR+9detp4LeN2UM9dfcZ6WiybMJlEAwDQYJKoZIhvcNAQELBQADggEBABN7RphZZB6bDI7/3hAy
fst8CcwYL3YD+F/aqJEqSwdDE++RfFbEag6j9PAod7B2UqhDTAPkAZJOD+iI0IiArGjjv7Rfmz9L
hH2DWPi+cExGVAkagfIGR9HoGPKSFLWXhRBzD1WdwcmwO5DPRMlegN1d1ZTtDMyKjczTocmrIdXN
qAPOBU2BgZ0Wo7yMAHmdUXRm7zjHClfjUZ/l0LTJ0tsXtpB3lbGReZ39kL0s3B9RM/xTRD2A3xzf
LZofytbDSEo4/pymV/3wOzkTpkj4Hd3UqiciSo8GrptdaV08iy/FgmnfIRr8iG+X0BCyYKJmWgeZ
HqNWxLg3hwT+9gopqj0=
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAwTzELMAkGA1UE
BhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQD
EwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAwWhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNTGV0J3MgRW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXI
o9cPR5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdxsxPnHKzh
m+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8ZutmNHz6a4uPVymZ+DAXXbpy
b/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxgZ3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3
P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIB
BDAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB
/wQIMAYBAf8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaAFHm0
WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAoYWaHR0cDovL3gx
LmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRwOi8veDEuYy5sZW5jci5vcmcvMCIG
A1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQBgt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5H
PqP3hUSFvNVneLKYY611TR6WPTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8
kc607TkC53wlikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BImlJNXoB1lBMEK
Iq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4avAuvDszue5L3sz85K+EC4Y/
wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4
jnkDrQoxB3UqQ9hVl3LEKQ73xF1OyK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJo
i5Lc5da149p90IdshCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxP
Fin+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6ZvMldlTTKB
3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqXnLRbwHOoq7hHwg==
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQK
ExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4X
DTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1owTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIElu
dGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIi
MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B4
93XCov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpLwYqGcWlK
ZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+DLtFJV4yAdLbaL9A4jXsD
cCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/
iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeY
jzYIlefiN5YNNnWe+w5ysR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHdu
Rze6zqxZXmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4FQsD
j43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBcSLeCO5imfWCKoqMp
gsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2qlPRmP6zjzZN7IKw0KKP/32+IVQtQi
0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TNDTwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB
/zAOBgNVHQ8BAf8EBAMCAQYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBw
cy5pZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsG
AQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAv
oC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYE
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oG
rS+o44+/yQoDFVDC5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMr
AdSW9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuGWCLKTVXk
cGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9Ohe8Y4IWS6wY7bCkjCWDc
RQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFCDfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr
6GtPAQw4dy753ec5
-----END CERTIFICATE-----
4

Thanks very much for the quick response.

I admit this is not a big area of expertise for me, so I'm a bit fuzzy on your findings, and honestly I'm not sure what is meant by an intermediate certificate. Are you saying that the intermediate certificate is there? If so, is there any reason you can think of for why the whynolock report is showing this error?

Also not sure about the blacklisting, as I'm not familiar with that service. We have had this IP for a while now, so is the blacklisting a cause for concern?

Thanks again!

5

Yes.

Because they need to update their software to compensate for the "multiple root chain" now being provided by LE.

Case in point: If you check their own website URL, they show the same error for themselves.
See: Test Results: whynopadlock.com - Why No Padlock?

Yes, especially if you are expecting to use that IP for outbound emailing.
And also it is a "red flag" warning that your systems may have been used for illicit purposes - compromised or bad actors are operating from within your network/.system.

6

Great explanation, thanks. We'll put the padlock issue on the back burner for now.

As for the blacklist, we don't use our site for outbound emailing, but we'll do a security audit to identify any issues we might have there.

Thanks again for the timely feedback. Very helpful.