This server's certificate chain is incomplete. Grade capped to B


TL;DR: Cert installed. When checked, I’m informed that “the server’s certificate chain is incomplete. Grade capped to B”. How to get grade A?

I had some problems with setting up a cert for a domain using LE (I’d reached my weekly limit…) so I tried using SSLForFree (which uses LE) and managed to get ‘another roll of the dice’ (I was allowed to create one cert).

I now have the following files

-rw-r--r-- 1 root root 1646 Aug 10 18:43 ca_bundle.crt
-rw-r--r-- 1 root root 1930 Aug 10 18:43 certificate.crt
-rw-r--r-- 1 root root 1703 Aug 10 18:43 private.key

Two files are successfully installed following instructions at SSLForFree:

SSLCertificateFile /etc/httpd/certs/
SSLCertificateKeyFile /etc/httpd/certs/

The server/cert works but on checking with SSLLabs, I get the following message:

This server’s certificate chain is incomplete. Grade capped to B.

The Grade B status produces warning messages in some browsers which I want to avoid.

What do I need to do to get the cert to pass at Grade A? Do I need to concatenate the .crt files and .key to form .pem files? What needs to be concatenated with what to create the standard set of three LE files as follows:

SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/
SSLCertificateChainFile /etc/letsencrypt/live/

Many thanks in advance.

  • My web server is: Apache/2.2.15 (Unix)
  • The operating system my web server runs on is: Centos 6
  • My hosting provider: self-hosted
  • I can login to a root shell on my machine: yes
  • I’m using a control panel to manage my site: no
  • The version of my client is: certbot 0.37.1

Your ca_bundle.crt probably correlates with Certbot’s chain.pem, so try using that with SSLCertificateChainFile.


Thanks @_az - I’ll give that a try and report back. Fingers crossed…

Thanks @_az - that worked and checked out with an A grade. Thanks a million. :beers: