Can I make letsencrypt-auto output chain.pem and cert.pem instead of fullchain.pem?


#1

I ran this command:

letsencrypt-auto renew --dry-run

The output looked promising at first, but then I noticed that it was planning to generate fullchain.pem. I’m using Apache 2.4.7 on Ubuntu 14.04 and letsencrypt-auto version 0.5.0.

According to http://letsencrypt.readthedocs.org/en/latest/using.html#where-are-my-certificates that will not work:

cert.pem
Server certificate only.

This is what Apache < 2.4.8 needs for SSLCertificateFile.

chain.pem
All certificates that need to be served by the browser excluding server certificate, i.e. root and intermediate certificates only.

This is what Apache < 2.4.8 needs for SSLCertificateChainFile, and what nginx >= 1.3.7 needs for ssl_trusted_certificate.

This matches my current apache config files. I understand that fullchain.pem is these two files concatenated. Is there any way to force letsencrypt-auto to output chain.pem and cert.pem so I can automate renewal?

I’ve googled and searched this forum, looked through ‘letsencrypt-auto --help all’ and even grepped the letsencrypt-auto script, and cannot find anything that will make letsencrypt-auto do this.

Workarounds I have rejected:
I’m not upgrading Ubuntu since I plan to stick to only LTS versions and 16.x is not out yet. I’m also not hand-compiling Apache either since it’s way too easy to forgot about that for a long time, which is not OK in today’s security environment


#2

The client stores chain.pem, cert.pem, fullchain.pem and privkey.pem by default. You can find all of these files in /etc/letsencrypt/live/example.com/.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.