Website showing as insecure by Chrome, Firefox


My domain is:

My web server is (include version): Apache/2.4.27

The operating system my web server runs on is (include version): Debian GNU/Linux 8

My hosting provider, if applicable, is: Google

I can login to a root shell on my machine (yes or no, or I don’t know): yes

My website is showing as unsecured by almost all browsers, though SSL Lab result shows A. I have also tried using fullchain.pem instead of cert.pem with no result as suggested in one of the forum.

Please advise.


At this point you are sending the public cert and then the public cert and intermediate chain:

Certificate chain
0 s:/
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
1 s:/
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
2 s:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Please show the lines in the vhost file where you use the cert files.


Thanks for the quick reply. Mentioned below are the lines from httpd-vhosts.conf:

SSLCertificateFile /opt/bitnami/apps/wordpress/letsencrypt/live/
SSLCertificateKeyFile /opt/bitnami/apps/wordpress/letsencrypt/live/
SSLCertificateChainFile /opt/bitnami/apps/wordpress/letsencrypt/live/


Can you try this. This is what I use on Apache servers, not sure though how you have generated the certs.

SSLCertificateFile /opt/bitnami/apps/wordpress/letsencrypt/live/
SSLCertificateKeyFile /opt/bitnami/apps/wordpress/letsencrypt/live/
SSLCertificateChainFile /opt/bitnami/apps/wordpress/letsencrypt/live/


This is tried, it was the original config. I changed to fullchain.pem later.


Strange, was worth a shot because I use that on all Apache sites without issue. Did your original config also have privkey.pem instead of private.pem ?


My file is stored as private.pem so I have to change it that.


Does fullchain.pem contain two certificates?


Ok I thought that might be the case.


Your web site shows as secure for me in Firefox, Chrome and Safari ??

45 PM


I opened it using vi editor, it has two begin and end certificate tags. So I guess yes.


Also no errors with Qualsys tests


Use fullchain.pem with SSLCertificateFile (instead of cert.pem) and comment out SSLCertificateChainFile completely, then you should be right.


@bytecamp his current config does not give me any errors, are you also seeing the site loading as insecure?


No, but I saw double-propagation of the certificate via openssl s_client. Now it seems to be correct at least from that point of view.


Okay gotya I didn’t dig that deep :slight_smile:


Thanks, it is working now. I have also observed that its working on but not on


It’s what rg305 posted.

$ openssl s_client -connect -servername </dev/null | grep -A10 ‘Certificate chain’


You seem to have configured a separate VirtualHost for this domain name, because it sends a self-signed certificate with wrong common name.

$ openssl s_client -connect -servername </dev/null | grep -A10 'Certificate chain’
Certificate chain
0 s:/


Well, I have kept www.* as ServerAlias now. Should it solve the issue?