Untrusted and Missing Intermediate Certificate Error on Apache

Diagnosis:

The site is accessible via HTTPS in most browsers; however, the browsers on mobile devices show the error message that the certificate is untrusted:

Ap1

Online checkers return the same results or display that the trusted chain of intermediate certificates is missing:

Ap2

Ap3

Causes

There may be several causes of this issue:

  • The VirtualHost section of the .conf file on the server (httpd-ssl.conf, ssl.conf, virtual-host.conf, or *yourdomain*.conf in the /sites-available directory) for SSLCACertificateFile (in the older Apache versions, the directive might be called SSLCertificateChainFile instead) is either commented out (e.g., #SSLCACertificateFile) or is pointing to a wrong SSL Intermediate Certificate file.
  • The VirtualHost section of your .conf file is configured correctly to use the appropriate files, but you already have a virtual host configured using a different .conf file for the same IP address, port and server name that you are trying to install the SSL Certificate to.
  • If you are using the Apache version >2.4.8, the issue may be caused by a missing bundle from the file specified in the SSLCertificateFile directive.

Note! The CA-bundle applicable for your certificate is included in the zip folder that can be downloaded from your Namecheap account. The instructions on how to download this file can be found here.
You can also download the necessary bundle from this article.

Solution:
  1. To correct this, simply uncomment the line and make sure the SSLCACertificateFile file points to CAbundle.crt:

    apacher1

    apachred

    After that, restart Apache by running:

    sudo apachectl restart

  2. The problem is usually that the other .conf file is pointing to the wrong SSL Intermediate Certificate file. To find the .conf files that have Intermediate Certificates specified, you can run this command:
    grep -r --include=*.conf 'SSLCACertificateFile' ./

    The output will be as follows:

    apacher2

    As we can see from the output, apache2.conf has an incorrect bundle specified, and since apache2.conf is the main config file in the current setup, it reads the VirtualHost record from it first while the Apache server starts.

    You need to either correct the file path and name in the main config file, or delete the duplicated VirtualHost from another config file.

    Once the corrections are made, run the following command to restart Apache and apply the changes:
    sudo apachectl restart

  3. Starting from Apache 2.4.8, the “SSLCertificateChainFile” directive became obsolete. The chain of intermediate certificates should be added to the file with the domain certificate.
    Please make sure that you run the command below after you receive the certificate files:

    cat *yourdomainname*.crt *yourdomainname*.ca-bundle >> cert_chain.crt

    After that, cert_chain.crt should be specified as SSLCertificateFile in VirtualHost record of your configuration file.
    To apply the changes, run this command:

    sudo apachectl restart

To check the results, you can use this SSL checker: https://decoder.link/sslchecker/

If everything is set correctly, it will show no chain issues.

Ap4

Comments

We welcome your comments, questions, corrections and additional information relating to this article. Your comments may take some time to appear. Please be aware that off-topic comments will be deleted.

If you need specific help with your account, feel free to contact our Support Team. Thank you.

Need help? We're always here for you.

× Close