Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


CO-piBot: return = 48: CHAIN SIGNATURE NOT MATCHING CERT
The certification chain does not match the certificate hash algorithm (SHA1 / SHA256+)

The hash algorithm (MD5, SHA, SHA256, ...) used by certification authorities to sign your certificate does not match the hash algorithms of the certificates constituting the certification chain. It means that one (or several) of the certificates of the chain is signed with a different hash algorithm. For exemple:

END ENTITY: www.my-domain-to-secure.com SHA256 with RSA
INTERMEDIATE 1: TBS X509 CA business 2 SHA384 with RSA
INTERMEDIATE 2: USERTrust RSA Certification Authority SHA384 with RSA
ROOT: AddTrust External CA Root SHA1 with RSA

Consequences: HTTPS is crossed out in red

This incorrect installation / configuration on your server may trigger an alert message on some browsers such as Google Chrome. It can even lead to a HTTPS crossed out in red directly in the URL bar.

Troubleshooting

  • If you recently renewed or reissued your certificate you may have forgot to install the new certification chain. It is essential to install the last issued certificate and its matching certification chain. Consult our installation instructions.

    Most common cases:

  • Have you forgot to activate the new certificate for the different services / protocols of your Exchange or ReverseProxy / firewall (VPN) server? Indeed, some servers / security inrfaces are delivered with a self-signed certificate the is used by default. During your certificate installation you have to associate your certificate to the different services by replacing the former certificate. Consult your server / interface documentation.

  • Or your server may not be correctly configured and the certificate presented is not the one expected. If you have several certificate you may have mixed them up. Is your DNS configuration ok?

  • Your infrastructure includes a reverse proxy? have you install your certificate on the right server / interface?

  • You have bought several certificate with the same CN / FQDN (internet address)? It can be that CopiBot runs its tests on the wrong server: control theIP address used for the connection and the serial number of your certificate.

Useful links

Consult our online documentation to install your SSL server certificate correctly

Error message that can be encountered on browsers

Check your certificate installation with Co-Pibot:

In your Certificates center, on your certificate status page you'll see a"check your certificate" button. Click it to make sure your certificate has correctly been installed.