Root Certificate needed in Fullchain

Hello,

i am using lets-encrypt-certs for my mailserver and clients.
A special email-client “The Bat” needs the Lets-encrypt Root-Certificate to trust the cert.
So i manually need to download “DSTRootCAX3.crt” and put it into the chain.
The problem is, that on auto-renewing by certbot, this needs to be done manually after the cronjob.

How can i automatically let the Root-Cert be inserted by certbot on renewing?

Thanks!

1 Like

Including the root certificate is pointless, so Certbot is never going to do it by default. You can add a deploy hook to achieve that effect, though.

This will create a hook at /etc/letsencrypt/renewal-hooks/deploy/add-root.sh, which will produce a fullchain-with-root.pem variant after every renewal or issuance:

echo "cat \$RENEWED_LINEAGE/fullchain.pem /etc/letsencrypt/root.pem > \$RENEWED_LINEAGE/fullchain-with-root.pem" > /etc/letsencrypt/renewal-hooks/deploy/add-root.sh && chmod +x /etc/letsencrypt/renewal-hooks/deploy/add-root.sh

Make sure to download the root certificate to /etc/letsencrypt/root.pem first.

2 Likes

Note that the root certificate Let’s Encrypt uses is going to change next year – simply hardcoding the current one will fail eventually.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.