SSL Certificate Chain is Incomplete

My SSL certificate chain is incomplete and all support articles are suggesting to install intermediate certificate chain.

Appreciate if you could help and guide me to solve this issue.

My domain is: chrisharis.com

I ran SSL Lab analysis on sllabs.com, which shows the below:

My web server is: OpenLite Speed (1.6.21)

The operating system my web server runs on: Ubuntu 20.04.2 LTS

My hosting provider is: AWS

I can login to a root shell on my machine.

The version of my client is: certbot 0.40.0

Thank You.

How did you get and, more importantly, install the certificate into OpenLite Speed?

2 Likes

Hi Osiris,

I have installed it following the steps in the below link:

Hello younes89,

it seems to me that your WebServer is not providing the full certificate chain, but instead only serves the "leaf" (your website certificate). In reality pretty much all modern browsers can ship around that issue because Let's Encrypt provides a Link to the intermediate Cert for the browser to download upon building the chain. But the better more complete solution is to serve all necessary certificates from your webserver.

Check if your used "fullchain.pem" and not "cert.pem" in your webserver configuration.

3 Likes

The link shows:
image

Did you follow that step?

3 Likes

Hi @maxi322

Thanks for your response.

I have checked the webserver configuration, it's already configured to use fullchain.pem

Regards.

Hi @rg305

Yes I did!

1 Like

hmm...

Then the problem is in the way it handles the fullchain.pem file.
Please show that file here [not to worry it contains only public information].

1 Like

Hi Rudy,

Thanks for your response again.
Attached the fullchain file.
fullchain.pem.txt (5.6 KB)

1 Like

OK try changing the order.
Moving the third cert to second place:

-----BEGIN CERTIFICATE-----
MIIFNzCCBB+gAwIBAgISBFpWsiN9s3PG/l08uFqVor29MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA1MTgxNjU1MDJaFw0yMTA4MTYxNjU1MDJaMBkxFzAVBgNVBAMT
DmNocmlzaGFyaXMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
0T76/T0p/CxKyTc0wDEi8wpKUZVKkr9e6fKgl5IKwpbEcK4kmFQS/D3iqfVOEPeT
N+7v2KPS/8q1sApqTzoQnfoZ9//raEgE6NB6ZtTI+jiZsqTZ0LJI0en5D8zt9nHA
aqGq9dff6p+f1z2YoCaah1ITqFK6te64yC4Uf6kuNPePxazDRNojITFNFp3RD60f
EvsfyURhfMsStZUag4vRSyjpBM0WImciEsUFNii25zcD9rhF841xuRYs2mWgAJyT
t8BmXdnfPIvRPz3q3j5s/aaHCfsnuPGv6+5q8vtq2/jr7Dm2TsmUQmgn3vNvIKcr
u3YMebrAKy0zprr994rI/wIDAQABo4ICXjCCAlowDgYDVR0PAQH/BAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1Ud
DgQWBBS5wOGlEPN9N6BSUbD3AjhG1jdW3jAfBgNVHSMEGDAWgBQULrMXt1hWy65Q
CUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9y
My5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3Jn
LzAtBgNVHREEJjAkgg5jaHJpc2hhcmlzLmNvbYISd3d3LmNocmlzaGFyaXMuY29t
MEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUH
AgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBQYKKwYBBAHWeQIEAgSB
9gSB8wDxAHYARJRlLrDuzq/EQAfYqP4owNrmgr7YyzG1P9MzlrW2gagAAAF5gJ3l
mwAABAMARzBFAiEAj3slgIoXQnrUtdneNvSodR4CFGYyJn8Wf5IFdWX5+/gCIGVe
k0mIFuKL2e/IbeGdhy7R+5zEZnSVs4v+XmVBYhIkAHcA9lyUL9F3MCIUVBgIMJRW
juNNExkzv98MLyALzE7xZOMAAAF5gJ3ljQAABAMASDBGAiEA9sPGaseP05OkzkpJ
BpDQbuUAaVwh5HFLkurcGMvnex4CIQCvsFP5fPapZLbz1CrhsrHmeMsy1nP0u7qL
pxu/AL9dLjANBgkqhkiG9w0BAQsFAAOCAQEAIxeZ7FMjBCkqgoyCZX62CmAMvksa
0DTL9xnZ7m33mJY9hXphBskpa+A7s1NpAyH4pbrHCX1jk+B8OLu9fzWQSX9nE6Mk
19zzqK7X3FinJd+mOUB8q4JYOiopQ6SP1sIjhyzHYHBoWOBHlGsLIo22MYHcB0JU
11O9IKjUC8g07WKu24pAm4Az5OeMCIwXfwQO7wFjEvqK3RIArXCRH7fYntxjwD0B
Qi+h0Y8rVyeYAiaf4vnSoBPaTv4d8Ke6+aUkiuvyjseUkHPEIcRmp/qStq0R7hm4
GDobTo8k42ufP2IroO9kbkYOJyWqiH6DIOvZuBykzTUuIPLRK12EwA3moQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----

I suspect it either can't handle multiple Intermediates and is choosing the first one (or the last one) but can't build the trust path to that one.
If this test fails, we should try one Intermediate at a time (and see which one works).

1 Like

Changed the order with a graceful restart, tested it on ssllabs, but it's still showing the chain incomplete issue.

I will try with each one at a time...

All tests reverted back with the same result!

Do you think it could be related to the chained certificate configuration in the web server?

Ok this gives it an interessting turn.

@younes89 Try the following:
Private Key File --> /etc/letsencrypt/live/chrisharis.com-0002/privkey.pem
Certificate File --> /etc/letsencrypt/live/chrisharis.com-0002/cert.pem
Chained Certificate --> /etc/letsencrypt/live/chrisharis.com-0002/chain.pem

2 Likes

Thanks for your response @maxi322

I have tried the same, I don't get the option to set the Chained Certificate file path, but I selected 'Yes'. Tested the same on ssllabs and sslshopper, but no luck!

Ok, try to set "Chained Certificate" to yes and use the fullchain.pem on "Certificate File" again.

If that doesn't do it try to also set "CA Certificate Path" to chain.pem

3 Likes

YESSSS, it worked!

fullchain.pem with chained certificate.

Thank you so much @maxi322 & @rg305 !!!

2 Likes

Why would there be such a "Yes/No" option to begin with? What a strange control panel IMHO.....

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.