Can't decide which one is .key and which one is .crt?

S1M0N · April 5, 2016, 10:34am

After successfully issued the cert, i got cert.pem chain.pem fullchain.pem privkey.pem 4 files, but this project needs REGISTRY_HTTP_TLS_CERTIFICATE and REGISTRY_HTTP_TLS_KEY, so I don’t know how to fill these values.

then i tried

openssl x509 -outform der -in chain.pem -out domain.crt
openssl rsa -outform der -in privkey.pem -out domain.key

verified those generated files with openssl seems good, but when I docker-compose up i got this error:

level=fatal msg="crypto/tls: private key does not match public key

pfg · April 5, 2016, 10:45am

chain.pem contains the intermediate/issuer certificate under which Let’s Encrypt signs certificates.
cert.pem contains your actual certificate.
fullchain.pem is a combination of chain.pem and cert.pem. This is most likely the file you want for REGISTRY_HTTP_TLS_CERTIFICATE.
privkey.pem is what you need for REGISTRY_HTTP_TLS_KEY.

S1M0N · April 5, 2016, 10:56am

@pfg How could u answer my question like this perfect?
It’s all good, thanks a lot !

DarkSteve · April 5, 2016, 10:57pm

Quick question: almost every bit of advice says to use fullchain when a config asks for the cert - when would we use cert.pem as opposed to fullchain.pem? Or is fullchain preferable in just about every situation?

cool110 · April 6, 2016, 6:04am

The only time you can safely use cert.pem is with servers that ask for chain.pem separately, such as older versions of Apache.

DarkSteve · April 6, 2016, 6:15am

Ah, thanks. I’m on the latest Apache 2.4, Postfix 3.1, etc. No wonder cert.pem doesn’t work on it’s own!