Untrusted website - Intermediate certificate needed?


I run this website:
Everything works well.

I tried to integrate a shop in it.
Paypal: Was not able to make the Webhooks or IPN works.
Stripe: Didn't even accept my website adress: "SSL certificate is not valid"
So i tested this:


here they say:

The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.

At this point i don't know what to do, should i do something with certbot or get an intermediate certificate somewhere ?


1 Like

Since you gave us no information about how you got or installed the certificate, neither do we. But the test you did was correct; your site is not serving the intermediate signing certificate. You don't need to do anything with certbot to get it (you already have it), but you do need to tell your web server to use it. Depending on your web server and version, this could mean using fullchain.pem rather than cert.pem, or using chain.pem in addition to cert.pem.


how you got or installed the certificate

I got it with :certbot certonly --standalone --preferred-challenges
I don't know what you mean by installed, but as i use apache i made two lines in my conf file like that:

    SSLCertificateFile /mySite/cert.crt
    SSLCertificateKeyFile /mySite/privkey.key

That's all i do to make it work if i remember well.
Did i miss something with the install part ?
I don't understand what you mean by :

but you do need to tell your web server to use it

1 Like

Clearly you don't remember well, or you wouldn't be having this problem. Once again (for the third time now, since SSLShopper already told you this), your site needs to serve the intermediate signing certificate, which you already have in the chain.pem file. Consult the docs for your version of Apache to find how to do that.

changed :

cert.crt and privkey.key

Look like it works.
Thanks @danb35



I can confirm that you have implemented the correct solution given that your Apache version is at least 2.4.8.

From mod_ssl - Apache HTTP Server Version 2.4 :

SSLCertificateFile Directive
The files may also include intermediate CA certificates, sorted from leaf to root. This is supported with version 2.4.8 and later, and obsoletes SSLCertificateChainFile.

The file extensions are technically irrelevant though some webservers might take them as cues about the format of the contents.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.