Bug: Deploy to apache - missing chain

Hi,

in the current version of certify the chain is missing if your deploy to apache.

Output filepath for cert → works as expected
Output filepath for key → works as expected
Output filepath for full chain → leaf cert is inside but the chain is missing
Output filepath for CA chain → creates an empty file

I don’t no the versions excactly, but with 6.0.13 it works and with 6.0.18 it isn’t working .

Thx.

Hi,

Can you check your source PFX file has the intermediates in the chain (using certutil or openssl)?

Systems may vary depending on Key Type (RSA or EC) and whether the system already trusts the CA root properly.

I can confirm in my own testing just now on a production server using Deploy to Apache, issuing from Let’s Encrypt:

  • cert.pem has leaf cert
  • privkey.pem has private key
  • fullchain.pem has leaf cert then intermediate cert (R11) in this case
  • chain.pem has R11 intermediate

So there is something different happening in the chain building for your PFX. The app would previously fail to renew certs on systems that didn’t have the CA root in the Computer Certificate trust store ( Trusted Certification Authorities) and a common problem on windows is broken windows updates or CA root cert downloads disabled or blocked.

Can you check your system has ISRG Root X1 issued by ISRG Root X1 (not by DST Root CA X3)?