Require LE Root Bundle in PEM, same format as example give

I am sure this is a dumb question but I am getting nowhere :frowning:
I need to upload a root bundle with LE Root and Intermediate to a voice proxy for TLS. I am unsure of the exact format, docs just say pem. This website contains an example of a root cert bundle I know works, I just need the LE equivalent
https://www.ssl2buy.com/wiki/geotrust-quickssl-premium-sha-2-under-sha-1-root-bundle

Obtain the signed certificate from the Certificate Authority (CA). You might also receive a certificate
trust chain if the CA did not directly sign the certificate. The certificate trust chain might be provided
as a separate file or it might be concatenated directly onto the signed certificate.
If the signed certificate is not in a PEM-encoded format, reencode the certificate in the PEM format
before uploading
openssl x509 –in input.der –inform DER –out output.pem –outform PEM

What Let’s Encrypt client did you use to obtain your certificate?

Most of them usually produce a fullchain.pem which is exactly what you should use for your voice proxy.

Its contents is the PEM-encoded leaf certificate, with the PEM-encoded intermediate certificate concatenated to it. You never include the root certificate, there’s no point.

1 Like

Thanks for responding
I used win-acme v2
Told it to export files to a folder and got
fqdn-chain.pem
fqdn-crt.pem
fqdn-key.pem

If I change fqdn-chain.pem to fqdn-chain.crt and open with the windows tool it seems to contain the entire chain as appose to the Root and Intermediate only

I’ve read through the win-acme issue tracker, and it seems like fqdn-chain.pem is the equivalent of fullchain.pem.

It should contain your leaf certificate as the first certificate, and the intermediate certificate as the second certificate.

That could be because the Windows certificate tool is automatically finding a path from the intermediate in the file to the root which is pre-installed on your computer. That is, after all, the point in intermediates and roots :slight_smile: .

I would try using the -chain.pem file in your server software.

1 Like