Hi everyone,
after spending the last days debugging TLS issues on my Axigen server, I’d like to share my findings — and ask the Axigen team for clarification about how ACME certificate handling is supposed to work.
I’m posting this because I suspect other administrators may run into the same issue.
ACME Does Not Create or Serve a Full Chain
It appears that Axigen’s internal ACME client does not generate or install a complete certificate chain. Instead, Axigen only writes:
-
cert.pem → leaf certificate
-
cert_priv.key → private key
-
cert_auth.pem → intermediate certificate (R12 in my case)
However, Axigen does not generate a fullchain.pem nor does it automatically concatenate the intermediate into the served certificate chain for TLS listeners. As a result:
Some clients (macOS) accept the certificate because they already have the intermediate cached
Other clients (iOS, older mail clients) reject the certificate because Axigen only sends the leaf certificate and not the chain.
The end result is that ACME-renewed certificates appear correct in the filesystem but Axigen does not actually serve a proper chain, causing TLS failures until manually corrected.
The only reliable workaround I found:
Manually create a full chain file:
cat cert.pem cert_auth.pem > fullchain.pem
Point the Axigen listener to this custom file
Is this behavior intentional or a bug?
Maybe I have made some mistake.
Thank you for your help.