The certificate chain in the configuration details of the certificate is invalid

I see. there are 2 blocks in chain.pem, and 3 blocks in fullchain.pem, let me remove the last block in chain.pem, and try

1 Like

If that works, then you only need to renew the cert and request the "short chain".

That said, you really need to work on a way to automate the renewals.


Sorry, it didn't work, I removed the second/last block in chain.pem, still the same error:
The certificate chain in the configuration details of the certificate is invalid.

Once it works, I will think about automation, but right ow, it is a little overwhelming

here is the chain.pem (before I removed the last block)
chain.pem (3.7 KB)

Once thing I need to mention:
2.5 months ago, I issued:
to get the certificate, and it actually worked on my site.
As mentioned in the previous thread: Not Secure after certificate was issued - #10 by Osiris
I was told I don't need the wild card, so just let it expire. Yesterday I just issue the command with:
Does this make any difference?

That is the "long chain".

Did you remove and retry?

Not much.
But it won't cover the "www" name:



If you also need to cover that name, use:
-d -d


Please show:
ls -l /etc/letsencrypt/live/
ls -l /home/ubuntu/*.pem


root@certbot-20230406:/etc/letsencrypt/accounts# ls -l /etc/letsencrypt/live/
total 4
-rw-r--r-- 1 root root 692 Apr 6 16:22 README
lrwxrwxrwx 1 root root 35 Apr 6 16:22 cert.pem -> ../../archive/
lrwxrwxrwx 1 root root 36 Apr 6 16:22 chain.pem -> ../../archive/
lrwxrwxrwx 1 root root 40 Apr 6 16:22 fullchain.pem -> ../../archive/
lrwxrwxrwx 1 root root 38 Apr 6 16:22 privkey.pem -> ../../archive/

I removed the ones in /home/ubuntu after download using WinScp

I tried the "short" one, same error, didn't work.

Maybe the WinSCP garbled the contents???
Try copying them over again.

From where?


In OCI, it allows to copy the content of the .pem file directly, let me try that now, to skip the possible WinScp issue.

Show these outputs:

openssl x509 -in cert1.pem -noout -pubkey
openssl rsa -in privkey1.pem -pubout

[if it asks for a passphrase, just enter anything]


root@certbot-20230406:/etc/letsencrypt/live/ openssl x509 -in cert1.pem -noout -pubkey
Could not open file or uri for loading certificate from cert1.pem
20A0A6B0FFFF0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:../crypto/store/store_register.c:237:scheme=file
20A0A6B0FFFF0000:error:80000002:system library:file_open:No such file or directory:../providers/implementations/storemgmt/file_store.c:267:calling stat(cert1.pem)
Unable to load certificate
root@certbot-20230406:/etc/letsencrypt/live/ openssl rsa -in privkey1.pem -pubout
Could not open file or uri for loading private key from privkey1.pem
20300C9BFFFF0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:../crypto/store/store_register.c:237:scheme=file
20300C9BFFFF0000:error:80000002:system library:file_open:No such file or directory:../providers/implementations/storemgmt/file_store.c:267:calling stat(privkey1.pem)

Also, I copied and pasted the .pem content directly into OCI setup screen, still same error. and I got this:

2.5 months ago I got my first certificate on a ubuntu machine, after that, that machine was no longer available, so I had to "renew" or get a "new certificate" on a brand new ubuntu machine, I don't know if that matters.

If there is an easy way to "re-generate the certificate"/"start from scratch" , I would love to try that. Please let me know what command can I use?

right now, in my Google Domain, there are 2 TXT records for
one is the previous one, the second one is the one I got yesterday, Is that OK? should I delete the first/old one?

Does Let's Encrypt have a sample/demo/trial certificate that I can use to test?

My certificate doesn't work on my website, so either (1) the certificate has problem or (2) my website has problem, if I can eliminate one, then the rest is much easier, any thoughts?

No, there is no trial cert and private key for testing :slight_smile:

It looks to me your Apache server is mis-configured for the domain It is using a cert that expired 2 years ago. It is a wildcard for *

I haven't read thru this whole thread but this is pretty definitive

I don't see any mention of Apache in your first post but the server response header says it is.