SSL Labs reports 2 chains: trusted and untrusted

I realize that likely this is not Certbot-related but have no idea where else to look for help.
When I run SSL Labs test on my domains they report, besides the 1st trusted chain, a 2nd untrusted chain:

Path #2: Not trusted (invalid certificate [Fingerprint SHA256: 0***************************************************************])
1 Sent by server *************
Fingerprint SHA256: 9***************************************************************
Pin SHA256: b*******************************************
RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server R3
Fingerprint SHA256: 6***************************************************************
Pin SHA256: j*******************************************
RSA 2048 bits (e 65537) / SHA256withRSA
3 Sent by server ISRG Root X1
Fingerprint SHA256: 6***************************************************************
Pin SHA256: C*******************************************
RSA 4096 bits (e 65537) / SHA256withRSA
4 In trust store DST Root CA X3 Self-signed
Fingerprint SHA256: 0***************************************************************
Pin SHA256: V*******************************************
RSA 2048 bits (e 65537) / SHA1withRSA
Valid until: Thu, 30 Sep 2021 14:01:15 UTC
Weak or insecure signature, but no impact on root certificate

I suspect that the origin of the 2nd chain is the Apache server's certificate. I inherited it and have no idea of its origin. But what should I do about it? Ignore it and leave it as-is, or obtain/deploy another cert for it? It occurred to me to use one site's cert but it also occurred to me that doing so may create other errors or confusion.

1 Like

In short, that's normal. Compare yours to what SSL Labs shows for this forum website.

The default chain from Let's Encrypt is called the "long chain" and has multiple paths. The one with DST Root CA X3 is for compatibility with older android devices. A client (like a browser) only needs to find one trusted path. Most modern clients will see that path #1 is a trusted path and stop looking at the rest of the chain.

Probably more than you care to know but here is more info about this long chain and the alternate "short chain"


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.