ErrorNotes

Fixing SSL Error: error:140AB022:SSL routines:SSL_CTX_use_Certificate:diff orders of certificates

intermediate🔒 SSL/TLS2026-06-26| Linux (Ubuntu, CentOS, Debian), Nginx, Apache HTTPD, OpenSSL

Error Message

error:140AB022:SSL routines:SSL_CTX_use_Certificate:diff orders of certificates
#nginx#apache#ssl-certificate#openssl#devops

The Problem

You’ve just downloaded your fresh SSL certificates from a provider like Sectigo, DigiCert, or Let's Encrypt. You follow the usual steps: you combine your domain certificate and the intermediate files into a single .crt bundle. But when you try to reload Nginx or Apache, the service hits a wall.

Instead of a green "active" status, the service fails to start. When you dig into the error logs or run a configuration test, you see this OpenSSL complaint:

nginx: [emerg] SSL_CTX_use_Certificate("/etc/nginx/ssl/bundle.crt") failed 
(SSL: error:140AB022:SSL routines:SSL_CTX_use_Certificate:diff orders of certificates)

Why This Happens

This error is OpenSSL’s blunt way of saying your certificate file is out of order. Web servers are picky. They read the certificate bundle from top to bottom and expect to see a specific hierarchy. If the server encounters an intermediate certificate before it finds your actual domain certificate, it gives up.

To satisfy the web server, your bundle file must follow a strict "leaf-to-root" sequence:

  • The Server (Leaf) Certificate: Your specific domain certificate (e.g., example.com).
  • Intermediate Certificate(s): The bridge certificates provided by your CA.
  • Root Certificate: The top-level CA certificate (often optional, as most browsers already have it).

Most of the time, this error pops up because you accidentally appended the domain certificate to the end of the file instead of placing it at the very top.

The Fix: Reordering Your Certificate Bundle

Fixing this requires a quick manual edit of your certificate blocks. Each block is a chunk of encoded text starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----.

Step 1: Inspect the File Content

Don't guess which block is which. You can use OpenSSL to peek inside the bundle.crt file and see which certificate is currently sitting at the top.

Run this command to check the identity of the first certificate in the file:

openssl x509 -in bundle.crt -text -noout | grep -E 'Subject:|Issuer:'

Check the Subject line in the output. If it shows your domain (e.g., CN = example.com), the first block is correct. However, if the Subject shows a CA name like CN = Sectigo RSA Organization Validation, you’ve found the problem. The intermediate certificate is in the wrong spot.

Step 2: Correct the Sequence

Open your bundle file with a text editor like nano or vim:

sudo nano /etc/nginx/ssl/bundle.crt

Rearrange the blocks so they follow this exact pattern. Make sure there are no extra spaces or empty lines between the END and BEGIN tags:

-----BEGIN CERTIFICATE-----
(Your Domain Certificate: example.com)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate Certificate 1: e.g., Sectigo RSA DV Bundle)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate Certificate 2 - if provided)
-----END CERTIFICATE-----

Step 3: Verify the New Structure

Before restarting your web server, let OpenSSL validate the file. This command simulates the server's loading process:

openssl x509 -in /etc/nginx/ssl/bundle.crt -noout -text

If the command returns your domain's technical details without the "diff orders" error, you’ve successfully fixed the chain.

Applying the Changes

For Nginx

Nginx relies on the ssl_certificate directive to point to this combined file. Ensure your server block looks like this:

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/nginx/ssl/bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;
}

Check for syntax errors with nginx -t. If it passes, reload the service: systemctl reload nginx.

For Apache

In Apache 2.4.8 and newer, the SSLCertificateFile directive should point to your newly ordered bundle. This single file now handles both the domain certificate and the chain.

<VirtualHost *:443>
    ServerName example.com
    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/bundle.crt
    SSLCertificateKeyFile /etc/apache2/ssl/example.com.key
</VirtualHost>

Run apachectl configtest to confirm everything is valid. If you see Syntax OK, restart the service: systemctl restart apache2.

Confirming the Results

Once your server is back online, verify the chain from the outside. You can use a browser, but the openssl s_client tool provides much more detail:

openssl s_client -connect localhost:443 -showcerts

Look for the "Certificate chain" section. You should see your domain at level 0 and the intermediate at level 1. If this sequence is visible, your "diff orders" error is officially a thing of the past.

Related Error Notes

Fix error:0906D06C:PEM routines:PEM_read_bio:no start line When PEM File Is Malformed

error:0906D06C:PEM routines:PEM_read_bio:no start line

Fix SSL Error: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib

error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib

Fixing 'SSL error: decryption failed or bad record mac' in Database Connections

SSL error: decryption failed or bad record mac