Can't decide which one is .key and which one is .crt?

After successfully issued the cert, i got cert.pem chain.pem fullchain.pem privkey.pem 4 files, but this project needs REGISTRY_HTTP_TLS_CERTIFICATE and REGISTRY_HTTP_TLS_KEY, so I don’t know how to fill these values.

then i tried

openssl x509 -outform der -in chain.pem -out domain.crt
openssl rsa -outform der -in privkey.pem -out domain.key

verified those generated files with openssl seems good, but when I docker-compose up i got this error:

level=fatal msg="crypto/tls: private key does not match public key
  • chain.pem contains the intermediate/issuer certificate under which Let’s Encrypt signs certificates.
  • cert.pem contains your actual certificate.
  • fullchain.pem is a combination of chain.pem and cert.pem. This is most likely the file you want for REGISTRY_HTTP_TLS_CERTIFICATE.
  • privkey.pem is what you need for REGISTRY_HTTP_TLS_KEY.
1 Like

@pfg How could u answer my question like this perfect?
It’s all good, thanks a lot ! :smiley:

Quick question: almost every bit of advice says to use fullchain when a config asks for the cert - when would we use cert.pem as opposed to fullchain.pem? Or is fullchain preferable in just about every situation?

The only time you can safely use cert.pem is with servers that ask for chain.pem separately, such as older versions of Apache.

Ah, thanks. I’m on the latest Apache 2.4, Postfix 3.1, etc. No wonder cert.pem doesn’t work on it’s own!