What is a certificate chain and why does it matter?

The chain links your server's certificate to a trusted root CA via intermediate certificates. Without intermediates, some clients (especially mobile) will not trust your certificate even if it is valid.

Can I use Let's Encrypt for internal servers?

Only if the server has a public domain name. Let's Encrypt validates domain ownership via HTTP or DNS challenges requiring public accessibility. For internal-only servers, use a private CA or self-signed certs.

Linux SSL/TLS Certificate Errors — Let's Encrypt, Chain, and Renewal Troubleshooting

Errorsecurity

Overview

Fix Linux SSL certificate errors including Let's Encrypt renewal failures, certificate chain issues, expired certificates, and certbot troubleshooting.

Key Details

Let's Encrypt provides free SSL certificates via certbot — auto-renewal is critical
Certificate chain must include: server cert + intermediate cert(s) — root cert is pre-installed in browsers
Certbot renewal runs via cron or systemd timer — check with certbot renew --dry-run
Certificates expire after 90 days (Let's Encrypt) — missed renewals cause site downtime
Certificate errors can prevent email delivery (Postfix TLS), API calls (curl), and web browsing

Common Causes

Let's Encrypt certbot renewal failed silently — no notification configured
Certificate chain incomplete — intermediate certificate missing from server config
Port 80 blocked by firewall preventing HTTP-01 ACME challenge validation
certbot installed via OS package (outdated) instead of snap (current)
Web server config pointing to old certificate path after certbot renewal

Steps

1Check certificate expiry: openssl s_client -connect domain.com:443 2>/dev/null | openssl x509 -noout -dates
2Test renewal: certbot renew --dry-run to verify renewal will succeed
3Fix HTTP-01 challenge: ensure port 80 is open and the web server serves /.well-known/acme-challenge/
4Install certbot via snap (recommended): sudo snap install --classic certbot
5Check full certificate chain: openssl s_client -connect domain.com:443 -showcerts
6Force renewal: certbot renew --force-renewal (use sparingly — Let's Encrypt has rate limits)

Related Items

linux-ssl-tls-certificate-errors

More in Security

windows-defender-errorsWindows Defender Errors — Antivirus Not Working or Updating

Error

windows-error-0x80073b01-defender-serviceWindows Error 0x80073B01 — Windows Defender Service Failed to Start

Error

windows-bitlocker-recovery-key-errorsBitLocker Recovery Key Errors — Drive Locked and Recovery Key Not Found

Critical

mac-gatekeeper-app-blockedMac Gatekeeper — App Cannot Be Opened (Unidentified Developer)

Warning

mac-filevault-recovery-errorsMac FileVault Errors — Encryption, Decryption & Recovery Key Issues

Error

mac-keychain-errors-passwordsMac Keychain Errors — Password Prompts, Locked Keychain, and Repair Guide

Warning

Frequently Asked Questions

Certbot via snap sets up a systemd timer automatically. Verify with systemctl status certbot.timer. For manual installs, add '0 0 * * * certbot renew --quiet' to root's crontab.

Linux SSL/TLS Certificate Errors — Let's Encrypt, Chain, and Renewal Troubleshooting

Overview

Key Details

Common Causes

Steps

Tags

Related Items

More in Security

Frequently Asked Questions