Roots Discourse

Chain Cert 2 and Root missing - LetsEncrypt

I just stumbled upon an issue with the LetsEncrypt certification.

I’m setting up a service between a POS system and WooCommerce.
The support team of the service told me that their service doesn’t work due to missing security credentials.

Good SSL: http://prntscr.com/i4jujs
All Four Certificate Chains Found!: Your Cert, Chain Cert 1, Chain Cert 2 and Root

Bad & Inadequate SSL Installation: http://prntscr.com/i4ju5a
Missing, Chain Cert 2 and Root

So I wonder if that’s simply not possible with LetsEncrypt or is the setup missing something maybe? Wasn’t able to find anything in the forum about this so I thought might be interesting to talk about.

Is the Chain Cert 2 and Root something I only get with a paid SSL certificate?

Tested the SSL certificate with sslchecker.com/sslchecker

Thanks

I’m a bit confused… the only SSL certificate you’re using is a LE one auto generated by Trellis correct?

We do automatically handle creating a bundled certificate with the intermediate one. I just analyzed our own site (roots.io) and that sslchecker.com site says the Root cert is missing too. However, I don’t believe you need root certificates in your chain. The browsers already know about them. You only need the intermediate ones.

Did something not actually work, or are they just using the results of that sslchecker site to say it’s missing something?

If so, it sounds like they shouldn’t be relying on that site.

See https://certificatechain.io/

All operating systems contain a set of default trusted root certificates. But Certificate Authorities usually don’t use their root certificate to sign customer certificates. They use so called intermediate certificates instead, because these can be rotated more frequently.

If not all intermediate certificates are installed on your server, some clients —mostly mobile browsers— will think you are on an insecure connection. This results in ‘untrusted’ warnings like the following:

Thanks @swalkinshaw

I’m a bit confused… the only SSL certificate you’re using is a LE one auto generated by Trellis correct?

Exactly.

I see your point and it makes sense. I think it’s just a restriction by them but I wanted to make sure first it’s not an issue from our/Trellis side.

See https://certificatechain.io/

How do I test this exactly? I tried with the certificates on the production server, e.g. /etc/nginx/ssl/letsencrypt/domain.ch-eceXXXXcert but that didn’t work.

For now I feel like, I will have to get a paid SSL certificate to make it work with their service. Btw talking about https://www.kosmoscentral.com/ to sync WooCommerce with Lightspeed, in case anyone is interested.

I think that should work as long as it’s the non-bundled version. I’ve only ever used that site for manual certs though. So if you bought an SSL cert you paste it in there and they build the full chain bundle.

I see. Thanks! Looks like I’m going to buy a certificate soon and will try it out then.

Appreciate the help.