Above is correct, you need to use ‘chain.pem’ and ‘cert.pem’ separately at this time in your configuration, and NOT ‘fullchain.pem’, even though it mentions ‘fullchain.pem’ at the end of the client dialog on the command line. The difference is, the ‘chain.pem’ file contains a cross signature from an IdenTrust root which is present in most browsers today. The ‘fullchain.pem’ references the ISRG root certificate, which is not yet present in most browsers as Let’s Encrypt are still in the process of applying to have it included. Therefore you may well need to manually edit your Apache configuation file, e.g /etc/apache2/sites-available/ssl-default.conf
I found I had to do this just now for www.planetvampire.com and it all checks out on the SSLLabs test now (https://www.ssllabs.com/ssltest/analyze.html?d=planetvampire.com&s=2607%3a5300%3a60%3a330%3a0%3a0%3a0%3a1&latest) , albeit with a warning that the second trust path is not complete (but you can ignore that as browser use the server-presented chain, if there is one). Sorry if this post sounds confusing!
1 Like