create a chained cert for nginx as well

Question

create a chained cert for nginx as well

ensonic opened this issue 7 years ago · 7 comments

hi,
according to http://nginx.org/en/docs/http/configuring_https_servers.html#chains
ngnix need a file containing both the server certificate + the chain.
Any chance you could also produce such a file? Right now I was using CERTIFICATE_FILENAME, KEY_FILENAME to configure nginx. This works in chrome, but firefox complains:

The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported.

Using the FULLCHAIN_FILENAME instead of the CERTIFICATE_FILENAME, does not work either. I guess it needs both.

Answer 1 · 2017-11-13T14:32:53.000Z

Hey!

The FULLCHAIN_FILENAME files created by the controller work for this use-case today. For example, my blog uses those and is accepted in all major browsers (I'm using Firefox myself).

Can you check that the file that ends up in the secret actually contains multiple certificates? You can further use openssl to connect to your endpoint and verify that the correct certificates are being sent:

openssl s_client -showcerts -connect $yourhost:$yourport

For my sites this returns two certificates (the one signed for my domains and an intermediate CA cert from Let's Encrypt).

Answer 2 · 2017-11-14T09:17:59.000Z

Meh, will take some time before I can retry - 'Too many certificates already issued for exact set of domains' :/
I should have renamed the secret volume :/

Answer 3 · 2017-11-14T09:33:30.000Z

If you don't need to revoke certificates you can delete the secret that the controller uses and it will create a new Let's Encrypt account.

Answer 4 · 2017-11-14T09:35:12.000Z

That's what I did and now I am over the quota, will have to wait a day or two, or add some dummy extra domain name. Just wanted to let you know, that I'll retry, but it might take a little.

Answer 5 · 2017-11-14T09:43:30.000Z

You deleted the letsencrypt-keypair and it's still applying your quota? That's new!

Answer 6 · 2017-11-14T10:04:31.000Z

It matches against the domains :/ too many certificates already issued for exact set of domains

Answer 7 · 2017-11-16T14:41:29.000Z

The wait is over and it works. Maybe it is worth to mention this in the docs.
Thanks for the help!