Two identical certs in full chain?!

Why Let's Encrypt puts 2 identical server's certs into full chain?
It can be seen using openssl s_client.
It will show that 0th and 1st certs in chain are identical, belonging to server.
For example:

openssl s_client -connect
Certificate chain
 0 s:CN =
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:CN =
   i:C = US, O = Let's Encrypt, CN = R3
 2 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 3 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3

It started not a long time ago. Maybe in Sep-2023.
Maybe because of that (?) lynx CAN'T verify cert.


Hell with it. But git CAN'T verify cert as well.

git clone

Firefox and lots of other apps CAN verify cert.

However, in /etc/letsencrypt/live/, chain.pem - 2 certs. fullchain.pem - 3 certs.

It doesn't. Probably a misconfigured webserver.


What I've got in Apache conf. Anything wrong?

<VirtualHost ...
    ServerAdmin         ...
    DocumentRoot        /home/i/web/
    SSLEngine on
    SSLCertificateFile "/etc/letsencrypt/live/"
    SSLCertificateKeyFile "/etc/letsencrypt/live/"
    SSLCertificateChainFile "/etc/letsencrypt/live/"

Yes, you've used one or two directive(s) incorrectly. Depending on the Apache version used, either just use SSLCertificateFile with fullchain.pem as value (2.4.8 and newer) (so no SSLCertificateChainFile at all) or use chain.pem as option to SSLCertificateChainFile (for old Apaches).

fullchain.pem also includes cert.pem, so that's why you're Apache is sending it twice: you told it to do so.


Thanks! Sorry for being noob here...


You can find out more about the different files produced by Certbot in the user guide at User Guide — Certbot 2.6.0 documentation (direct link to correct paragraph).


Don't feel too bad; you're a step ahead of most people: You checked whether your server was actually sending the right chain, rather than just assuming that if you could load your site in one web browser somewhere that it must be configured correctly.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.