When using SSLCertificateChainFile with certificates belonging to different chains, httpd sends all certificates to the client instead of only the chain. Although most browsers accept it, some clients refuse this (like Facebook and Linkedin preview clients). Only certificates belonging to the current chain should be sent.
Can you give an example configuration? If you set SSLCertificateChainFile on virtualhost level it should do what you want. Alternatively have you checked not using SSLCertificateChainFile and instead putting the chain in the same file as the certificate?
Putting the chain in the same file as the certificate is not compatible with storing the private key in teh same file. I tried all combinations. Set SSLCertificateChainFile on virtualhost level is indeed an option. Example of file: -----BEGIN CERTIFICATE----- CA1 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Root1 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- CA2 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Root2 -----END CERTIFICATE-----
(In reply to Marc Stern from comment #2) > Putting the chain in the same file as the certificate is not compatible with > storing the private key in teh same file. I tried all combinations. > > Set SSLCertificateChainFile on virtualhost level is indeed an option. > So this solves your problem?
It's a work-around, yes. But people may wonder for long why their site isn't working with Facebook/Linkedin publishing (and all other tools using the same library).