Can't decide which one is .key and which one is .crt?


#1

After successfully issued the cert, i got cert.pem chain.pem fullchain.pem privkey.pem 4 files, but this project needs REGISTRY_HTTP_TLS_CERTIFICATE and REGISTRY_HTTP_TLS_KEY, so I don’t know how to fill these values.

then i tried

openssl x509 -outform der -in chain.pem -out domain.crt
openssl rsa -outform der -in privkey.pem -out domain.key

verified those generated files with openssl seems good, but when I docker-compose up i got this error:

level=fatal msg="crypto/tls: private key does not match public key

#2
  • chain.pem contains the intermediate/issuer certificate under which Let’s Encrypt signs certificates.
  • cert.pem contains your actual certificate.
  • fullchain.pem is a combination of chain.pem and cert.pem. This is most likely the file you want for REGISTRY_HTTP_TLS_CERTIFICATE.
  • privkey.pem is what you need for REGISTRY_HTTP_TLS_KEY.

#3

@pfg How could u answer my question like this perfect?
It’s all good, thanks a lot ! :smiley:


#4

Quick question: almost every bit of advice says to use fullchain when a config asks for the cert - when would we use cert.pem as opposed to fullchain.pem? Or is fullchain preferable in just about every situation?


#5

The only time you can safely use cert.pem is with servers that ask for chain.pem separately, such as older versions of Apache.


#6

Ah, thanks. I’m on the latest Apache 2.4, Postfix 3.1, etc. No wonder cert.pem doesn’t work on it’s own!