Seeing PEM encoded chain in ERR_CER_COMMON message, what does this mean?


My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

Made a cert with www.mydomain.test. https://www.mydomain.test works fine, just that when I am testing the root domain i get https:// failues.


Subject: www.mydomain.text
Issuer: Let's Encrypt Authority X3
Expires on: 24 Feb 2017
Current date: 27 Nov 2016
PEM encoded chain: -----BEGIN CERTIFICATE-----

What does this mean and did we screw up somewhere with the cert returning this?

Lastly, for setting up with the root domain, do we just create another cert with the root domain? Or would there be some application specific way to do this? Since this is not a wildcard cert, how does the community approach it?


Yes, probably the certificate is for the wrong name or names. The most common cause here is that you have a certificate just for and that’s not valid for because it’s a different name. Humans think they’re basically the same, but machines do not. You can ask Let’s Encrypt for up to 100 names in the certificate, you will be able to pass the challenges (to prove you control the name) much the same for as for

If you use the “cerbot” tool to get certificates and now realise you need extra names in the certificate, check the --expand flag in the documentation for how to add names in an easy to understand way.

If it’s not a missing name, the next thing is to inspect the names on the certificate and the name you typed into the browser carefully to check they’re really the same - in your comment here you wrote sometimes “.test” and sometimes “.text” and of course those are different and it matters in a real system, so check carefully.


okay great! --expand just works ™ . Pretty amazing, kudos to the letsencrypt folks.

Though is the big dump of PEM Encoded chain a security leak on un-ssled domains? Or is this just common.


Certificates are public documents, in fact your certificates will have automatically been logged to the Certificate Transparency system, and are (or will be in a few hours if new) visible in Log Monitors such as

SSL is “public key cryptography” your server has a pair of keys, one public (included in the certificate, and so sent to everybody who connects, as well as being logged as above) and one private, which you (well, your web server) must never show to anybody and which no-one should ask to see. Here’s a cool video if you are inclined to learn why this is even mathematically possible. If you aren’t, don’t worry, it’s pretty simple to remember the public keys are public, so it’s OK for everybody to know what those are, private keys aren’t just secret (like a password), they’re truly private, nobody needs to know them except you.


Ahh yup thanks. I was afraid that it was a private key leak due to mis configs, thanks for the helpful info!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.