LetsEncrypt 'chain incomplete'

I provisioned a server to try out LetsEncrypt. Running the Qualys SSL Labs test, it gets a B rating because:

This server’s certificate chain is incomplete.

I didn’t change anything other then setting my URLs and host configs. My concern is that this gives me errors on Firefox 44.02:

Your connection is not secure

The owner of littoral.co has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

littoral.co uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. (Error code: sec_error_unknown_issuer)

It also shows up as “Not Trusted” on Safari (iOS 9.3). Is this an issue that can be resolved by configuration changes? (This thread may be relevant.)

Trellis automatically creates the bundled chain. Maybe something went wrong in your case.

You can see where it happens here: https://github.com/roots/trellis/blob/baffeb7684f74ef2aa39ac0c2e2d1bb2d71cc7fb/roles/letsencrypt/templates/renew-certs.py#L45-L49

You can also verify the certificate on your server at /etc/nginx/ssl/letsencrypt/<site name>-bundled.cert. There should be 2 certificate blocks of text in there.

There are two certificate blocks in that file, so it seems to have worked as expected. Would there be something in the nginx configs that could be causing this issue? It does appear to be loading the correct certificate:

   ssl_certificate         /etc/nginx/ssl/letsencrypt/<sitename>-bundled.cert;
      ssl_certificate_key     /etc/nginx/ssl/letsencrypt/<sitename>.key;

I tried this again with a different domain/fresh VPS—still getting the ‘chain incomplete’ problem. No errors during the letsencrypt task. Anything I can provide for debugging purposes? Thanks in advance.

You could provide the contents of the bundled cert. This is the public key so it’s fine to share. Or you could make sure that the 2nd (last) cert in bundled chain matches this: https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem

@ned I figured out what’s going on here. Let’s Encrypt has “upgraded” to their new authority X3. We were hardcoding their X1 intermediate certificate which is incompatible with X3.

I’ll be updating Trellis very soon to switch to X3 which is their new default.

More here: https://letsencrypt.org/certificates/

1 Like

See https://github.com/roots/trellis/pull/534. Very small change.