githubRover
commented
3 months ago Sharing the chain file among many leaf certs was never recommended.
And, starting 8 days ago any one leaf may be signed by different intermediate certs. You should start using the chain.pem returned for the issued leaf. Or, use the "fullchain.pem" file which includes the leaf and its intermediate(s).
See this Let's Encrypt announcement https://letsencrypt.org/2024/03/19/new-intermediate-certificates
And this https://community.letsencrypt.org/t/deploying-lets-encrypts-new-issuance-chains/216486
Questions or concerns should be posted at the community support. It is not unique to getssl https://community.letsencrypt.org/
nikdow
Describe the bug We have 50-70 or so domains on one webserver. All are using getssl with similar config file, contains this line: CA_CERT_LOCATION="/etc/ssl/chain.crt" So the chain.crt file is overwriting each time a domain certificate gets updated. From about 1 week ago, the chain.crt started causing errors for some clients. For example Chrome is OK but Safari refuses to connect, and various robots that are using Curl stopped working. We used https://whatsmychaincert.com/? to test and this finds a problem with chain.crt.
To Reproduce Steps to reproduce the behavior:
Expected behavior chain.crt should be valid for all clients
Operating system (please complete the following information):
Additional context Here's an error from a PHP robot: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed