Nginx - what should ssl_trusted_certificate stanza contain

Everything I’m finding just seems to assume I’m using certbot, but I’m not… what file do I use for ssl_trusted_certificate in an Nginx setup?

It should contain the intermediate certificate, and optionally the root certificate.

Certbot puts the intermediate in “chain.pem”. Other clients should create a file with a name like “chain” or “intermediate”.

What client are you using?

1 Like

I was scripting my own, using acme_tiny.py as a library. So all the references to chain.pem were throwing me off. I’ve come to the conclusion that it’s actually https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt, I can now utilize ssl_stapling with that in place.

It is for now. It could change without warning, though that would be unusual. (It probably will change with warning someday.)

Your client should fetch the intermediate(s) dynamically.

The Let’s Encrypt API server will give you the current intermediate in a Link header, and you can also extract it from the AIA CA Issuers field in your certificate. (Which will, currently, give you different URLs pointing to the same intermediate.)

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.