I have a Sophos UTM 9 with web protection enabled. I found an identical topic started by @VWR32NZ very helpful in converting the Lets Encrypt cert into PKCS#12 format. However on Android (Chrome) I was receiving the error: NET::ERR_CERT_AUTHORITY_INVALID and Qualys SSL Labs stated my certificate chain is incomplete.
Adding the -certfile flag fixed this problem for me. Below is my revised statement:
I am hardly an expert in certificate management, and don’t know if specifying both intermediary certificates is possible or advantageous. Additional advise from a pro would be much appreciated if warranted.
Thanks for Lets Encrypt, this is the best thing I’ve played with in a long while!
You should also already have that file available as chain.pem in the same place where you found cert.pem (because people need to use it when configuring a server, the CA already provides it when issuing the cert and the client saves a copy!).
Its contents do need to get served somehow; the cert.pem is an end-entity cert (i.e., a cert describing your site), not an intermediate cert describing a CA, so it’s not redundant at all to use both of them.
Thank you, after testing to ensure it works I have edited my original post. I have revised the command to specify cert.pem for both the -in and -certfile arguments which is easier and makes more sense. I’m sorry to say I have a pretty weak understanding of all this, so if the conversion command could be further enhanced or simplified please post your thoughts or PM me and I will edit my post again.
If you’re already passing cert.pem then it might not be necessary to use fullchain.pem (but I haven’t tested this particular command, just responding based on the original post which originally said that using the LE X1 intermediate from the Let’s Encrypt home page made it work – and chain.pem's contents are exactly identical to the LE X1 intermediate).