Hi.
I used the OPNSense-Firewall together with the LE-Plugin to generate a certificate for my server. Everything worked well … afterwards I downloaded the files from the firewall and put all files on the server:
-rwxr-x--- 1 root wheel 1648 Jan 29 10:08 ca.cer*
-rwxr-x--- 1 root wheel 3933 Jan 29 10:08 fullchain.cer*
-rwxr-x--- 1 root wheel 2285 Jan 29 10:08 server.meine-domain.de.cer*
-rwxr-x--- 1 root wheel 1700 Jan 29 10:08 server.meine-domain.de.csr*
-rwxr-x--- 1 root wheel 3243 Nov 21 11:32 server.meine-domain.de.key*
When I connect via openssl s_client -connect server.meine-domain.de:443
I always get a chain that is too short.
I know it should look like this:
---
Certificate chain
0 s:CN = server.meine-domain.de
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
But instead I always get just these lines:
CONNECTED(00000005)
depth=0 CN = server.meine-domain.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = server.meine-domain.de
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:CN = server.meine-domain.de
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
---
The chain is not complete … it’s too short. But the ca.cer is there…!
What’s wrong here? What’s missing? Thanks for a good hint.