Need Server, intermediate, and root certs instead of fullchain

I am trying to use a wildcard cert in my Ruckus SmartZone setup to allow the functions, including captive portal to work properly. In the main screens, a fullchain cert with private key works fine. However, in the case of the AP portal, they require separate files for Server Cert, Intermediate CA certs, and root CA certs. it looks like the cert.pem is the server cert, and the chain.pem is the intermediate certs, but there is no root CA cert.

Can anyone help me figure out what to do here? I feel like a complete Noob.

My domain

I ran this command:
sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/ --preferred-challenges dns --debug-challenges -d * -d

It produced this output:
(success) - I don't have the exact output, but it created the cert set: cert.pem chain.pem fullchain.pem privkey.pem README

My web server is (include version):
Certbot is hosted on a vm with Debian 11-bulsey
Cert is installed on Virtual Smartzone Appliance - v6.

The operating system my web server runs on is (include version): Customized linux - can't access bash shell

My hosting provider, if applicable, is: N/A (locally hosted)

I can login to a root shell on my machine (yes or no, or I don't know): NO

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes - vSZ 6.1.1

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.12.0

All you should need is either the fullchain (for most systems), or cert + chain (for systems that want the intermediates separate). Anything working as a server shouldn't need the root at all (the root is for a client to be able to validate what the server sends). They're available for download, but I suspect it's not actually what you need. Can you maybe give a screenshot or link to documentation of what you're being asked for?

And keep in mind, that if you're dong manual steps you'll have to do them again every couple of months, the goal of Let's Encrypt is to automate things as much as possible. I don't know anything about this "SmartZone", but ideally it would either be able to request its own certificates or would have some sort of API to update them that you could put into a deploy hook script.


Odd - I was convinced that I tried that combination (cert + chain). It works.

Now I am getting the error on my client side "Revocation information for the security certificate for this site is not available. Do you want to proceed?" Is this normal for Let's Encrypt certs, or do I have something misconfigured?

No, that sounds pretty weird. Maybe your network is blocking requests to Let's Encrypt's OCSP servers?


According to Ruckus - because the security is happening between the device and the WAP and being verified by the controller, it needs the whole chain including the root CA cert.

Presently shows

Common Name: 	*
				Total number of SANs: 2

The currently being served certificate does not match the domain name.


Clarifying some of the above comments:

The files Certbot created are-

  • cert.pem - server/leaf/end-entity certificate
  • chain.pem - the intermediates
  • fullchain.pem - cert.pem + chain.pem
  • privkey.pem - the private key

The root certificate is available at the link @petercooperjr shared above. Note that Certbot currently uses the "long chain" by default, and the "short chain" as an alternate. Each chain has a different root certificate.

The PEM files from ACME and LetsEncrypt all end with a newline "\n", so you can just concatenate/cat them together.

This all sounds very odd though. I would not be surprised if there is some other issue going on here. Hopefully this explanation of the files will help you iterate until you get a working solution that you can share back here.


Thank you. This is very clear. I was able to get everything to work using this information.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.