On Sat, Oct 26, 2024 at 11:32 PM Anthony J. Bentley <[email protected]>
wrote:
> relayd will pick up src.domain.io.crt, which is probably not a
> full chain certificate. It won't pick up src.domain.io.fullchain.pem,
> which is (probably) a full chain cert.
>
> As I can't see your acme-client.conf or your previous httpd.conf that
> worked without TLS errors, I'm guessing your old httpd.conf specified
> src.domain.io.fullchain.pem as its certificate instead of
> src.domain.io.crt, which is why it worked, and your acme-client.conf
> probably only writes a full chain to src.domain.io.fullchain.pem.
>
Anthony, thank you for your generous time troubleshooting with me here.
Your assumptions are correct; however, the obvious solution of renaming the
fullchain certificate file doesn't appear to work.
# acme-client.conf
domain src.domain.io {
domain key "/etc/ssl/private/src.domain.io.key"
domain certificate "/etc/ssl/src.domain.io.crt"
domain full chain certificate "/etc/ssl/src.domain.io.fullchain.pem"
sign with letsencrypt
}
# OLD httpd.conf
server "src.domain.io" {
listen on * tls port 443
tls {
certificate "/etc/ssl/src.domain.io.fullchain.pem"
key "/etc/ssl/private/src.domain.io.key"
}
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location "/*" {
fastcgi socket tcp 127.0.0.1 3000
}
}
server "src.domain.io" {
listen on * port 80
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location * {
block return 302 "https://$HTTP_HOST$REQUEST_URI";
}
}
That httpd.conf was my old httpd-only-no-relayd working config.
Now that I have relayd up and running, reading your replies made me think I
could do the following:
# cd /etc/ssl
# mv src.domain.io.crt src.domain.io.notfullchain.crt
# mv src.domain.io.fullchain.pem src.domain.io.crt
This does not appear to disrupt the browser pointing to src.domain.io.
However, "git clone" and "curl" still return the error: SSL certificate
problem: unable to get local issuer certificate.
Many Thanks.
