incomplete letsencrypt certificate for some domains

Hi, for some domains the let's encrypt certificate is incomplete. It is not a fullchain certificate, it only contains the domain certificate without a ca certificate in the ssl.cert file. While trying to find out the reason, I've spotted that the ssl.cert file is created as a fullchain certificate first, and then it gets overwritten with a domain only certificate partial certificate. Perhaps it has something with the postfix or dovecot, because the certificate is used in the mail server as well.

Status: 
Active

Comments

The Let's Encrypt CA cert should be in a separate ssl.ca file, which Apache is configured to also read.

Jamie, no it shouldn't for nginx, it must be concatenated, it the other case it held as incomplete and my old browsers throw a certificate error. You can check that fullchain is required here https://www.nginx.com/blog/free-certificates-lets-encrypt-and-nginx/ By the way it is how virtualmin currently works for most domains, but not for the one which certificate is also used for dovecot and postfix.

So for Nginx use, Virtualmin should create a single file containing the cert and CA.

What's the path to the cert file that gets overwritten?

So for Nginx use, Virtualmin should create a single file containing the cert and CA.

correct

What's the path to the cert file that gets overwritten?

/home/username/ssl.cert

The next release of Virtualmin is going to handle this properly by creating a separate combined cert file for Nginx, and using the ssl.cert file for just the domain's cert.

Great news, thanks Jamie!