Certbot Docker was successful, but the file was not generated

Osiris · May 9, 2021, 12:08pm

Why would it be invalid?

What would it need to match from those file?

huytrv · May 9, 2021, 12:21pm

The server is up and running, you can check it, but still no certificate

Osiris · May 9, 2021, 12:49pm

I see the certificate when using openssl s_client -connect bbqfield.com:443 but you're not sending the intermediate certificate(s). This makes sense, as the intermediate cert(s) (chain.pem) and also the full chain (fullchain.pem, which is just cert.pem and chain.pem concatenated into a single file) were also deleted by the script.

You can download the intermediate certificate(s) from Chain of Trust - Let's Encrypt

Please see Production Chain Changes for more info about the currently active certificate chain. This currently is "R3" and "ISRG Root X1" where the latter has been signed by "DST Root CA X3". So your chain.pem would consist of the R3 intermediate signed by ISRG Root X1 and the ISRG Root X1 certificate signed by "DST Root CA X3". All these files are availalbe from the Chain of Trust page I linked above, also as PEM files you can use directly on your server.

huytrv · May 9, 2021, 2:51pm

I added "R3 intermediate signed by ISRG Root X1 and the ISRG Root X1 certificate signed by "DST Root CA X3" > chain.pem and cert.pem + chain.pem > fullchain.pem, still not resolved. Can you check me again?

Nummer378 · May 9, 2021, 3:03pm

You're using the wrong leaf certificate.

You used the pre-certificate instead of the actual certificate. You need to download the leaf certificate from crt.sh, not the precert.

(Your intermediate chain looks correct though, so you got that)

Osiris · May 9, 2021, 3:26pm

You've added the SCT pre-certificate for your own certificate from crt.sh. (This wasn't clear earlier, as OpenSSL complained about the missing chain earlier, not about the pre-cert..)

As I've told earlier, you should use the actual certificate, not the pre-certificate. You can recognise pre-certs by their specific content:

CT Precertificate Poison: critical
                NULL

In the actual certificate, you'll see:

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
(...)

See the link to the actual certificate above.

huytrv · May 10, 2021, 2:13am

Thank you for taking the time to solve my problem, I have succeeded in getting my certification, It returned to the 502 error but maybe it's not the letsencrypt problem

Update for those of the same problem as me, removing proxy_pass and adding $Mage Root, include <root>/nginx.conf.sample solved the problem.

system · June 9, 2021, 2:14am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.