Roots Discourse

Chain Cert 2 and Root missing - LetsEncrypt

I just stumbled upon an issue with the LetsEncrypt certification.

I’m setting up a service between a POS system and WooCommerce.
The support team of the service told me that their service doesn’t work due to missing security credentials.

Good SSL:
All Four Certificate Chains Found!: Your Cert, Chain Cert 1, Chain Cert 2 and Root

Bad & Inadequate SSL Installation:
Missing, Chain Cert 2 and Root

So I wonder if that’s simply not possible with LetsEncrypt or is the setup missing something maybe? Wasn’t able to find anything in the forum about this so I thought might be interesting to talk about.

Is the Chain Cert 2 and Root something I only get with a paid SSL certificate?

Tested the SSL certificate with


I’m a bit confused… the only SSL certificate you’re using is a LE one auto generated by Trellis correct?

We do automatically handle creating a bundled certificate with the intermediate one. I just analyzed our own site ( and that site says the Root cert is missing too. However, I don’t believe you need root certificates in your chain. The browsers already know about them. You only need the intermediate ones.

Did something not actually work, or are they just using the results of that sslchecker site to say it’s missing something?

If so, it sounds like they shouldn’t be relying on that site.


All operating systems contain a set of default trusted root certificates. But Certificate Authorities usually don’t use their root certificate to sign customer certificates. They use so called intermediate certificates instead, because these can be rotated more frequently.

If not all intermediate certificates are installed on your server, some clients —mostly mobile browsers— will think you are on an insecure connection. This results in ‘untrusted’ warnings like the following:

Thanks @swalkinshaw

I’m a bit confused… the only SSL certificate you’re using is a LE one auto generated by Trellis correct?


I see your point and it makes sense. I think it’s just a restriction by them but I wanted to make sure first it’s not an issue from our/Trellis side.


How do I test this exactly? I tried with the certificates on the production server, e.g. /etc/nginx/ssl/letsencrypt/ but that didn’t work.

For now I feel like, I will have to get a paid SSL certificate to make it work with their service. Btw talking about to sync WooCommerce with Lightspeed, in case anyone is interested.

I think that should work as long as it’s the non-bundled version. I’ve only ever used that site for manual certs though. So if you bought an SSL cert you paste it in there and they build the full chain bundle.

I see. Thanks! Looks like I’m going to buy a certificate soon and will try it out then.

Appreciate the help.