Recently, while putting together the site for our annual Kong Game challenge, I ran into a problem when trying to set up the page metadata and Open Graph tags. Specifically, the Facebook Sharing Debugger was failing to retrieve any metadata on my page!
The problem
It wasn’t exactly clear what the problem was at first glance, but the first line of the debugger immediately gave an error:
| SSL Error | Can’t validate SSL Certificate. Either it is self-signed (which will cause browser warnings) or it is invalid. |
|---|
When I went to check out what Facebook’s scraper sees (at the bottom of the Sharing Debugger page), I thought Facebook had a bug, because the link to what the scraper sees loaded a blank page.
It took me awhile to realise the blank page wasn’t an error, but that Facebook really wasn’t able to glean any information from my web page.
How the issue was fixed
The only thing I could work on was the SSL error, and that was the first thing I tried to fix. After some Googling, and a really helpful article (which ironically did not have a valid SSL cert at the time of writing this article), I found out that my SSL certificate for the website was missing the full certificate chain, which made Facebook unable to verify where the certificate came from.
What is a certificate chain?
Basically, for an SSL certificate to be considered valid, it has to come from a certificate authority. These certificate authorities, in some cases, also have another certificate authority they are certified by so that they can issue SSL certificates. The full certificate chain contains not only your own SSL cert, but also the certs of all certificate authorities that are behind the certification of your SSL cert, and it allows an entity to verify whether the SSL certificate is valid.
Most SSL checkers only check if your immediate certificate authority is valid, but some (like Facebook’s Sharing Debugger), also check if the certificate authorities up your chain are valid.
Article continues after the advertisement:
Fixing it was really simple — because my SSL certificate was generated by Let’s Encrypt, my web server already had the cert file with the full certificate chain. I just didn’t use it. All I had to do was head into my Apache configuration file, and update the SSL key path for my website.
<VirtualHost _default_:443>
DocumentRoot /var/www/konggame.terresquall.com
SSLCertificateFile /etc/letsencrypt/live/konggame.terresquall.com/certfullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/konggame.terresquall.com/privkey.pem
</VirtualHost>
For Nginx users, the configuration file will be slightly different:
server {
listen 443 ssl;
server_name konggame.terresquall.com;
ssl_certificate /etc/letsencrypt/live/konggame.terresquall.com/certfullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/konggame.terresquall.com/privkey.pem
}
What if I don’t have the full certificate chain?
If your certificate is not generated by Let’s Encrypt, and you don’t have the full certificate chain, you can go to What’s My Chain Cert to generate the certificate chain.
Is it possible for me to fix this if I use a cPanel-based hosting service?
Absolutely. Most cPanel hosting services have some kind of SSL manager module that allows you to upload and download your SSL certificates. You’ll want to use that to download your SSL certificate, then use What’s My Chain Cert to generate the full chain, then upload the SSL certificate and use it.
Conclusion
This is a real short article, but I hope it helped! If you have fixed this using some other way that is not covered in this article, feel free to elaborate on what you did to fix your issue in the comments section below.