The certificate chain in the configuration details of the certificate is invalid

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
certbot certonly --manual --preferred-challenges=dns

It produced this output:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/
Key is saved at: /etc/letsencrypt/live/
This certificate expires on 2023-07-05.

My web server is (include version): Oracle Apex in OCI

The operating system my web server runs on is (include version): N/A

My hosting provider, if applicable, is: Oracle Cloud Infrastructure (OCI)

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.5.0

The web server seems misconfigured.

curl -Ii
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

Hi, Let's Encrypt Experts,

I created a certificate 2.5 months ago, and used it on my website, and it worked. See my previous question thread: Not Secure after certificate was issued

Yesterday I renewed my certificate with the cmd above and it succeeded.

I created a new OCI load balancer with the new/renewed certificate but I got "The certificate chain in the configuration details of the certificate is invalid." my old load balancer and original certificate were deleted and can't be recovered (sorry).

I received 4 files:

and I used 3 of them to upload:

But after it failed, I tried basically all different combination, but none worked.

I googled, some mentioned that it needs to include ROOT certificate, my renewed certificate didn't include ROOT certificate?

How do I verify the certificate is valid? or How do I make it work?

Sincerely appreciate your help!

You should never include the root certificate.
All systems should already have all the root certificates.


That is never the problem.
Unless you have modified the files:

Undo the changes.
Put things back to when they did work.


Thank you for your reply!

I followed exactly the same instructions to set up the load balancer (it worked before). Below is the screenshot when filling up certificate:

1 Like

Try using the "short chain".


You should use the symlinks in the /live/ folder.
Not the files in the /archive/ folder.
Because when cert1.pem is renewed, it will become cert2.pem and you will have to manually reenter it.
Whereas the symlink will always point to the latest file.

Also, I think you may be able to use just fullchain and privkey [instead of cert, chain, and privkey].


"short chain" is chain1.pem, not "fullchain1.pem", correct? I tried, still the same error.

"Short chain" is part of chain and fullchain - but shorter [removing the last cert (when they contain the cross-signed root)]

Please show either one [cert or fullchain] and I can better explain.

fullchain = cert + chain


the symlinks in live folder points to archive, I used root to issue the certbot command, I copied the 4 files in archive folder to /home/ubuntu and chown to ubuntu, so I could winscp as ubuntu to download the files.

In OCI, there are 3 fields and all are mandatory, so I have to use cert , chain , and privatekey, any other ways?

Then use three.

But let's try using the "short" chain.
Show chain file and I will explain.


This sounds like something that won't be automated.


I see. there are 2 blocks in chain.pem, and 3 blocks in fullchain.pem, let me remove the last block in chain.pem, and try

1 Like

If that works, then you only need to renew the cert and request the "short chain".

That said, you really need to work on a way to automate the renewals.


Sorry, it didn't work, I removed the second/last block in chain.pem, still the same error:
The certificate chain in the configuration details of the certificate is invalid.

Once it works, I will think about automation, but right ow, it is a little overwhelming

here is the chain.pem (before I removed the last block)
chain.pem (3.7 KB)

Once thing I need to mention:
2.5 months ago, I issued:
to get the certificate, and it actually worked on my site.
As mentioned in the previous thread: Not Secure after certificate was issued - #10 by Osiris
I was told I don't need the wild card, so just let it expire. Yesterday I just issue the command with:
Does this make any difference?

That is the "long chain".

Did you remove and retry?

Not much.
But it won't cover the "www" name:



If you also need to cover that name, use:
-d -d