What's the difference between cert.pem and fullchain.pem?

cert.pem contains only your domain certificate. fullchain.pem contains your certificate plus intermediate CA certificates. Always use fullchain.pem in web server config — without it, some clients (especially mobile browsers) can't verify the certificate chain and will show security warnings.

Can I use a self-signed certificate for production?

Technically yes, but practically no. Browsers show scary warnings, API clients reject connections by default, and users must manually trust the cert. Use Let's Encrypt for free, automated, trusted certificates. Only use self-signed for internal testing or if you have a private CA infrastructure.

Why did certbot renewal fail silently?

Common causes: (1) Port 80 blocked by firewall during HTTP challenge, (2) DNS changes made domain unreachable, (3) nginx/Apache not reloaded after renewal, (4) Rate limits hit from too many renewal attempts. Check /var/log/letsencrypt/letsencrypt.log for specific errors. Test with --dry-run before real renewal.

Should I use Caddy or nginx for SSL?

Caddy automatically obtains and renews Let's Encrypt certificates with zero configuration — just specify your domain. nginx requires certbot setup and manual config. For simplicity, use Caddy. For fine-grained control over SSL settings, cipher suites, and complex routing, use nginx.

🔧Troubleshooting

How to Fix OpenClaw SSL Certificate Errors

Intermediate30-60 minutesUpdated 2025-03-01

SSL certificate errors prevent secure HTTPS access to your OpenClaw instance and can break integrations that require valid certificates. Common issues include expired certificates, incomplete certificate chains, self-signed certificates being rejected by clients, and auto-renewal failures. This guide walks through diagnosis and fixes for all SSL scenarios.

Why This Is Hard to Do Yourself

These are the common pitfalls that trip people up.

📅

Certificate expired without renewal

Let's Encrypt certs expire after 90 days, auto-renewal failed silently

🔗

Incomplete certificate chain

Missing intermediate certificates causing "unable to verify" errors in some clients

⚠️

Self-signed certificate warnings

Browsers and tools rejecting self-signed certs, breaking API integrations

🔄

Auto-renewal not configured

Certbot or acme.sh not set up with cron, requiring manual renewal every 3 months

Step-by-Step Guide

Step 1

Check certificate expiration date

Verify when your current certificate expires and if it's still valid.

Step 2

Verify certificate chain completeness

Ensure the full certificate chain is configured, including intermediate certificates.

Step 3

Configure Let's Encrypt auto-renewal

Set up certbot to automatically renew certificates before expiration.

Step 4

Fix mixed content warnings

Ensure all resources load over HTTPS to avoid browser security warnings.

Step 5

Test SSL configuration quality

Verify your SSL setup follows best practices and has no vulnerabilities.

Step 6

Set up certificate monitoring and alerts

Get notified before certificates expire to prevent outages.

SSL Issues Blocking Your Users?

Our security experts configure production-grade SSL/TLS with auto-renewal, perfect forward secrecy, and A+ SSL Labs ratings. Get bulletproof HTTPS without certificate expiry surprises.

Browse Setup & Installation experts →

Learn more about our expert service →

Get matched with a specialist who can help.

Frequently Asked Questions

Related Guides

🔧Troubleshooting

How to Fix OpenClaw 502 Bad Gateway Errors

Intermediate30-60 minutes

🚀Setup & Installation

How to Configure OpenClaw Gateway with HTTPS

Intermediate30-60 minutes