Nginx with preferred-chain "ISRG Root X1" - still showing "DST Root CA X3"

The cert is not the problem.
The missing chain is the problem.

1 Like

we are already using fullchain.pem and key file.
generated through /usr/local/bin/certbot certonly --apache -d --no-bootstrap -n --expand

still unable to identify the issue.

Show the webserver vhost config file that serves that FQDN ("").

<VirtualHost *:80>
Redirect /
<VirtualHost *:443>
        DocumentRoot /var/www/html/umeCory/tookan-client-web-panel
        ErrorLog /var/log/httpd/default_error.log
        CustomLog /var/log/httpd/default_access.log combined
	SSLEngine on
        SSLProxyEngine on
        SSLCertificateFile /etc/letsencrypt/live/
        SSLCertificateKeyFile /etc/letsencrypt/live/

Then your Apache program or its' config may be (inadvertently) deceiving you.

  • you haven't totally restarted all apache threads since you made that vhost config (low probability)
    to that end, hard restart Apache or the entire server (if possible)

  • there is a name:port conflict and another vhost config is being used to serve it (high probability).
    to that end, let's have a look at the output of:
    sudo apachectl -t -D DUMP_VHOSTS

same configuration is used by the apache and tried by kiiling the pid and then started!!
issue is somewhere else bro

Can you show the output of:
[or is that super top secret stuff?]

VirtualHost configuration:
wildcard NameVirtualHosts and default servers:
*:443 is a NameVirtualHost
default server (/etc/httpd/conf.d/
port 443 namevhost (/etc/httpd/conf.d/
port 443 namevhost (/etc/httpd/conf.d/
port 443 namevhost (/etc/httpd/conf.d/
port 443 namevhost (/etc/httpd/conf.d/
port 443 namevhost (/etc/httpd/conf.d/
port 443 namevhost (/etc/httpd/conf.d/
port 443 namevhost (/etc/httpd/conf.d/
port 443 namevhost (/etc/httpd/conf.d/aaaaumeform1.tookan.conf:7)
port 443 namevhost (/etc/httpd/conf.d/aaaaumeform2.tookan.conf:7)
port 443 namevhost (/etc/httpd/conf.d/aaaaumeform3.tookan.conf:7)

sharing fewlines there are 2000+ domains we are hosting

OK try:
sudo apachectl -t -D DUMP_VHOSTS | grep -i

Thanks mate this issue is sorted!

1 Like

Just a quick note for CentOS 7 users: I pushed a certbot update yesterday so that you can choose the shorter chain via --preferred-chain. Currently the update is in epel-testing so you need to tell yum to use that repo explicitely.

The update will be available in the regular stable repo in two weeks. You can help getting it into stable by installing the update from epel-testing and leave positive karma there.

More details how to get the update via Fedora bodhi.


AFAIK Apache 2.2 doesn't support putting the certificate chain to SSLCertificateFile directive (it can do this starting from 2.4.8 according to the docs
Try these 3 directives instead:

SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/
SSLCertificateChainFile /etc/letsencrypt/live/

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.