I am trying to use a wildcard cert in my Ruckus SmartZone setup to allow the functions, including captive portal to work properly. In the main screens, a fullchain cert with private key works fine. However, in the case of the AP portal, they require separate files for Server Cert, Intermediate CA certs, and root CA certs. it looks like the cert.pem is the server cert, and the chain.pem is the intermediate certs, but there is no root CA cert.
Can anyone help me figure out what to do here? I feel like a complete Noob.
My domain is:am-hs.net
I ran this command:
sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.am-hs.net -d am-hs.net
It produced this output:
(success) - I don't have the exact output, but it created the cert set: cert.pem chain.pem fullchain.pem privkey.pem README
My web server is (include version):
Certbot is hosted on a vm with Debian 11-bulsey
Cert is installed on Virtual Smartzone Appliance - v6.1.1.0.959
The operating system my web server runs on is (include version): Customized linux - can't access bash shell
My hosting provider, if applicable, is: N/A (locally hosted)
I can login to a root shell on my machine (yes or no, or I don't know): NO
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes - vSZ 6.1.1
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.12.0
All you should need is either the fullchain (for most systems), or cert + chain (for systems that want the intermediates separate). Anything working as a server shouldn't need the root at all (the root is for a client to be able to validate what the server sends). They're available for download, but I suspect it's not actually what you need. Can you maybe give a screenshot or link to documentation of what you're being asked for?
And keep in mind, that if you're dong manual steps you'll have to do them again every couple of months, the goal of Let's Encrypt is to automate things as much as possible. I don't know anything about this "SmartZone", but ideally it would either be able to request its own certificates or would have some sort of API to update them that you could put into a deploy hook script.
Odd - I was convinced that I tried that combination (cert + chain). It works.
Now I am getting the error on my client side "Revocation information for the security certificate for this site is not available. Do you want to proceed?" Is this normal for Let's Encrypt certs, or do I have something misconfigured?
According to Ruckus - because the security is happening between the device and the WAP and being verified by the controller, it needs the whole chain including the root CA cert.
The root certificate is available at the link @petercooperjr shared above. Note that Certbot currently uses the "long chain" by default, and the "short chain" as an alternate. Each chain has a different root certificate.
The PEM files from ACME and LetsEncrypt all end with a newline "\n", so you can just concatenate/cat them together.
This all sounds very odd though. I would not be surprised if there is some other issue going on here. Hopefully this explanation of the files will help you iterate until you get a working solution that you can share back here.