Reputation: 459
SSL Certificate Chain Incomplete
Can someone please explain what exactly the SSL Labs test's "This server's certificate chain is incomplete" means and how to fix it? Exact steps of what I did
- Generate Let's Encrypt certificate via the Let's Encrypt client using the standalone module (./letsencrypt-auto --standalone)
- This yielded 4 files: cert1.pem, chain1.pem, fullchain1.pem, privkey1.pem
- Generate PKCS12 file to import the certificate:
openssl pkcs12 -export -in cert1.pem -inkey privkey1.pem -out cert_and_key.p12 -name certificate -CAfile fullchain1.pem -caname root
- Create the keystore:
keytool -importkeystore -deststorepass Pas5w0rd123 -destkeypass Pas5w0rd123 -destkeystore cert.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -srcstorepass Pas5w0rd123 -alias cert
keytool -import -trustcacerts -alias root -file chain1.pem -keystore cert.jks
- Now using the created cert.jks on a server and having it tested with SSL Labs, the SSL test reports this problem: "This server's certificate chain is incomplete.".
Thanks very much in advance for your answers!
Upvotes: 1
Views: 3765
Answers (1)
Reputation: 39281
It seems that in certificate chain is missing the certificate Let's Encrypt Authority X3.
Check that your pkcs12 really contains the private key, the public key and the certification chain. The best option is to use the GUI portecle (http://portecle.sourceforge.net/)
When creating the pkcs12 '-CAfile fullchain1.pem' should be '-certfile fullchain1.pem'.
Upvotes: 1
Related Questions
- RHEL : Certificate Import : Keystore error : Signed Fields invalid
- Grails 3.3.5 with SSL certificate
- How to create keystore and truststore using self-signed certificate?
- Extract PKCS12 file from Java Keystore while changing the password using keytool
- Wildfly 8.2: importing wildcard certificate, intermediate certificate missing
- create p12 and keyStore from crt file
- setting-up ssl certificate on Tomcat: Invalid chain
- Access ssl webservice from application deployed on glassfish