Root 1 missing Let’s Encrypt

I have Let's Encrypt configured on Ubuntu 20.04 with Apache 2, but it generates an error in sslchecker, the error is root 1 missing

SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/

What is your actual domain name? I cannot connect to either of those domains.

And, those are not the right paths if that is how you actually have it.


I just moved your thread to the Help category. You would have been asked to answer these questions which would be very helpful to us

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):


How old is the Apache [what version?] that you have to use:


Server version: Apache/2.4.52 (Ubuntu)
Server built: 2023-10-26T13:44:44 is my domain name

There is no problem with your cert or chain for that domain. The sslchecker tool you used was wrong. Where is that tool?

I reviewed it from my own test server. And, both test systems below show it good
SSL Labs gives you an A rating:


this is the sslchecker tool SSL Certificate Checker

Root 1 missing

You most likely want the want to be using the ISRG Root X1 Self-signed: der, pem, txt certificate.
See: Chain of Trust - Let's Encrypt

1 Like

Also SSL Certificate Checker has the complaint about I suspect they are complaining about certificates not issued by them.

1 Like

Ah. There are two paths down the "long" chain you are using.

One ends at ISRG Root X1 Modern clients have that in their Trusted CA Store so stop validating when they see that.

Your SSLChecker only looked at the last cert and said it did not have that root in their store. Fair enough. That intermediate for DST Root CA X3 is used for older Android device compatibility.

This is changing this year anyway so I don't know it is worth it to report a bug to sslchecker. Starting next month the DST Root CA X3 is gradually being removed from the system.

See below blog post for more details on this transition


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.