Openlitespeed - SSL Labs: "This server's certificate chain is incomplete. Grade capped to B"

davfer · June 4, 2024, 5:36am

Hi there!

Cert has been working fine for a while now but I am having difficulty changing the configuration in Openlitespeed to address the SSL labs report result of "This server's certificate chain is incomplete. Grade capped to B".

Can someone help with how to address that as Litespeed support has not been helpful at all!

What do I need to do differently here:

Thanks!

9peppe · June 4, 2024, 6:00am

Did you edit the fullchain.pem file in any way?

https://www.ssllabs.com/ssltest/analyze.html?d=healthdrive.com

davfer · June 4, 2024, 6:15am

No, why do you ask?

9peppe · June 4, 2024, 7:39am

Because that would explain this error, if fullchain.pem were to have one fewer certificate than normal.

webprofusion · June 4, 2024, 9:41am

In your webserver config use the full chain file rather than just your cert. This file will include your cert plus any intermediate certs required to resolve to the CAs root certificate.

davfer · June 4, 2024, 4:37pm

Thanks @webprofusion How do I do this in the openlitespeed SSL admin config:

webprofusion · June 5, 2024, 12:34am

@davfer that config looks good to me but I don't use that product. If you have recently modified this you will need to do a (graceful) restart as per Quick Install SSL with Let’s Encrypt – OpenLiteSpeed for it to pickup the updated files.

davfer · June 5, 2024, 5:58pm

Thanks @webprofusion yes a graceful restart had been done.

I feel like there's something else going on with either the initial LE certificate setup from a while back or in the configuration in OpenLitespeed that is causing these issues not seen on other sites with a similar setup:

MikeMcQ · June 5, 2024, 6:06pm

It is clear your server is only sending out the leaf cert and not the "fullchain". Also see this test site: SSL Checker

You could view the fullchain and make sure it was not damaged since issued. Just view it and count how many "BEGIN CERTIFICATE" lines it has. Should be more than 1 (2 or 3 are both possible).

Otherwise it looks like you followed the instructions at openlitespeed perfectly. If "fullchain" looks okay on your system you may need to ask them about it.

Know the contents of fullchain.pem are not a secret. But, contents of privkey.pem should not be shown to anyone.

system · July 5, 2024, 6:07pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SSL Certificate Chain is Incomplete Help	17	4226	August 28, 2021
Openlitespeed Mobile SSL Help	2	1039	September 2, 2017
This server's certificate chain is incomplete. Grade capped to B Help	4	11412	September 10, 2019
This server's certificate chain is incomplete. Grade capped to B. openshift Help	30	43037	April 29, 2018
Chain is not working Help	8	2731	March 6, 2018

Openlitespeed - SSL Labs: "This server's certificate chain is incomplete. Grade capped to B"

Related topics