yep, that worked for me as I mentioned in post #17.
ssllabs is reporting an incomplete chain. Iâve tried both fullchain.pem and chain.pem with the same results. Any suggestions will be greatly appreciated.
can you guve a bit if information about your system ? apache ? gninx ? something else ? version ? website ?
I solved the issue, it was a case of fat finger syndrome combined with aging eyesight.
Incase anyone else stumbles across this I just installed certbot on a Debian Wheezy box with apache and had to use all three of:
SSLCertificateKeyFile /etc/letsencrypt/live/[FQDN]/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/archive/[FQDN]/chain1.pem
SSLCertificateFile /etc/letsencrypt/live/[FQDN]/fullchain.pem
as without the SSLCertificateChainFile the grade was also capped at B due to a reported incomplete chain.
@alasdair, if you want to specify a chain, a safer location would be /etc/letsencrypt/live/[FQDN]/chain.pem instead of pointing to the archive. (The way you did it, you wonât see the updates if the chain changes on renewal.)
It should not be necessary to use SSLCertificateChainFile anymore in current versions of Apache, as itâs now deprecated. Perhaps youâre running an older version of Apache or something?
alasdair19d : the SSLCertificateChainFile is obsolete since Apache 2.4.8 :
I recommand to read this documentation : How resolve This serverâs certificate chain is incomplete
Just as a heads-up:
cert.pem contains your certificate.
chain.pem contains the intermediate certificate.
fullchain.pem contains both your certificate and the intermediate.
Shouldnât you put /path-to/cert.pem in your SSLCertificateFile directive and /path-to/chain.pem in your SSLCertificateChainFile directive?
Isnât SSLCACertificateFile supposed to be for client-side auth, and as such on some browsers like Chrome for Android could cause the browser to prompt for a client certificate?
Yes, it is. I don't know why someone had to necro a thread that had been dead for two years to add incorrect information.