SSL 'Incorrect Order, Extra Certs' Error

Submitted by Tom Thorp on Tuesday, April 30, 2019 - 18:03
Modified on Tuesday, September 1, 2020 - 02:13
SSL HTTPS Green Lock
After successfully transitioning my websites between hosting providers, I wanted to do an overall healthcheck on my websites, which included testing SSL certificates. To do this, I used an online testing tool called "SSL Server Test" by Qualys SSL Labs. 
Qualys' "SSL Server Test" is considered the standard when testing your SSL certificates. Not only does it test your SSL certificates, it does a deep analysis of your SSL web server infrastructure and flags any security holes that need to be tended. Zero day exploits such as DROWN, Heartbleed and POODLE are all tested for. If you want a secure website and server, then this is the tool you should check it with. 
To resolve the 'Incorrect Order, Extra Certs' error, you first have to consider the web server your website is running on. Here I have provided example configuration files for nginx and Apache web servers, for you to customize in your own web server configuration. 


For nginx web servers, make sure your configuration is of the form 
server {
    listen              443 ssl;
where the chained certificate ( ) is the result of combining your signed certificate with your intermediate certificate. Thus 
cat bundle.crt >


For apache web servers, you will need to find out the version you are running.
The reason the version number is important, is because an important configuration change was made to Apache web servers in how SSL certificates are treated. Prior to v2.4.8, the signed certificate and intermediate certificate were treated as individual entities. Now, only one line entry is required to read either a signed certificate, or a bundled ( signed+intermediate ) certificate.
To find the version of Apache you are running, from the terminal type
httpd -v
For Apache versions prior to v2.4.8, the intermediate file ( chain.pem ) and signed certificate ( cert.pem ) are kept on separate lines in your VirtualHost configuration.
<VirtualHost *:443>
    SSLCertificateChainFile '/full/path/to/chain.pem'                                                                                                       
    SSLCertificateKeyFile '/full/path/to/privkey.pem'                                                                                                            
    SSLCertificateFile '/full/path/to/cert.pem'
For v2.4.8 and later, the combined signed certificate and intermediate file ( fullchain.pem ) is used. 
<VirtualHost *:443>
    SSLCertificateKeyFile '/full/path/to/privkey.pem'                                                                                                            
    SSLCertificateFile '/full/path/to/fullchain.pem'
If you attempt to use SSLCertificateChainFile in your v2.4.8+ server configuration, then you will receive a deprecation warning.
SSLCertificateChainFile is deprecated

SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.


I hope this article explains how to correctly configure your SSL certificates on your web server. There are many other tweaks to SSL that can be used in your configuration. Use  Qualys' "SSL Server Test" tool liberally in your test environment, to test any configuration changes it may recommend, before implementing into your production environment. 

About the author

Tom Thorp
Tom Thorp is an IT Consultant living in Miami on Queensland's Gold Coast. With over 30+ years working in the IT industry, Tom's experience is a broad canvas. The IT services Tom provides to his clients, includes :
Website development and hosting
Database Administration
Server Administration (Windows, Linux, Apple)
PABX Hosting and Administration
Helpdesk Support (end-user & technical).
  If you like any of my content, consider a donation via Crypto by clicking on one of the payment methods :