I have 4 file ...cert1.pem,chain1.pem,fullchain1.pem,privkey1.pem
in my vhost.conf I setup generated file as follow
SSLEngine on
SSLCertificateFile "C:/certificate/web1/cert1.pem"
SSLCertificateKeyFile "C:/certificate/web1/privkey1.pem"
SSLCACertificateFile "C:/certificate/web1/chain1.pem"
SSLCertificateChainFile "C:/certificate/web1/fullchain1.pem"
but when I test with online SSL checker , this is my result
### Certificate Chain Complete?
A valid Root CA Certificate could not be located, the certificate will likely display browser warnings.
**Common Name:**ISRG Root X1
**Organization:** Internet Security Research Group
**Valid:** January 20, 2021 to September 30, 2024
**Issuer:** DST Root CA X3
and sslabs result failed at SNI section, can someone point me where my mistake are?
Yes, we can help but we can give better advice if you answer the form questions as best you can. Thanks
=================================
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
My apache version is:
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
That is generally NOT a mistake at all.
[unless you have a dedicated IP and also use that IP with some extremely old clients]
SNI allows for many sites to be hosted from one single IP.
When a request comes in without a specific host name, it is handled by the default handler [which usually also covers those direct IP requests].
In short: No modern web client would ever need to deal with that default SNI handler.
domain: https://ruslanproperty.com
Certbot version: certbot 1.24.0
apache version :Server version: Apache/2.4.51 (Win64)
Apache Lounge VS16 Server built: Oct 7 2021 16:27:02
operating system: windows 10, single ip
You used certbot options which just got certs. It is up to you to configure your server. This site provides good guidelines
Had you used the certbot apache plug-in as the installer it would have configured your system so that it did not allow TLS v1.0 and v1.1 and would have gotten an A score. There is nothing wrong with configuring it yourself. You just have to do it.
Certbot normally creates a /live/ folder with symlinks to the latest cert it received. It is best if you reference those symlinks rather than the actual cert files.
The next time certbot gets certs it will name them xxxx2.pem, then xxxx3.pem and so forth always updating the symlink to point to the latest.
You should use the symlink name to avoid having to update your server config each cert renewal.
