Submitted by stretch on Mon, 08/28/2017 - 16:57
Hi, for some domains the let's encrypt certificate is incomplete. It is not a fullchain certificate, it only contains the domain certificate without a ca certificate in the ssl.cert file. While trying to find out the reason, I've spotted that the ssl.cert file is created as a fullchain certificate first, and then it gets overwritten with a domain only certificate partial certificate. Perhaps it has something with the postfix or dovecot, because the certificate is used in the mail server as well.
Status:
Active
Comments
Submitted by JamieCameron on Mon, 08/28/2017 - 23:25 Comment #1
The Let's Encrypt CA cert should be in a separate ssl.ca file, which Apache is configured to also read.
Submitted by stretch on Tue, 08/29/2017 - 10:12 Comment #2
Jamie, no it shouldn't for nginx, it must be concatenated, it the other case it held as incomplete and my old browsers throw a certificate error. You can check that fullchain is required here https://www.nginx.com/blog/free-certificates-lets-encrypt-and-nginx/ By the way it is how virtualmin currently works for most domains, but not for the one which certificate is also used for dovecot and postfix.
Submitted by JamieCameron on Tue, 08/29/2017 - 22:08 Comment #3
So for Nginx use, Virtualmin should create a single file containing the cert and CA.
What's the path to the cert file that gets overwritten?
Submitted by stretch on Thu, 09/21/2017 - 07:43 Comment #4
So for Nginx use, Virtualmin should create a single file containing the cert and CA.
correct
What's the path to the cert file that gets overwritten?
/home/username/ssl.cert
Submitted by JamieCameron on Fri, 09/22/2017 - 18:45 Comment #5
The next release of Virtualmin is going to handle this properly by creating a separate combined cert file for Nginx, and using the ssl.cert file for just the domain's cert.
Submitted by stretch on Sat, 09/23/2017 - 06:33 Comment #6
Great news, thanks Jamie!