Specify custom CA with certbot

tmontney · February 3, 2025, 6:40am

Running certbot register --agree-tos -m admin@foo.bar --server https://ca.foo.bar --no-eff-email results in "certificate verify failed". The following commands do not fail verification:

curl https://ca.foo.bar --cacert /path/to/ca.pem
openssl s_client -connect ca.foo.bar:443

The full chain (subordinate CA) has been imported into the trust store of the host (as indicated by the success of the openssl command). certbot is 1.3.0.

I'm running my own CA with a custom ACME web server implementation. Is there a way to specify a .pem path?

webprofusion · February 3, 2025, 6:52am

On linux, apps and/or runtimes can have their own trust stores and a lot depends on how they were installed and which libraries they use etc.

Here is a guide using a Custom CA which sets an environment variable to give certbot a custom root to trust:

tmontney · February 4, 2025, 3:06am

That did it!

The resulting command ends up being REQUESTS_CA_BUNDLE=/path/to/ca.pem certbot register --agree-tos -m admin@foo.bar --server https://ca.foo.bar --no-eff-email

Glad it wasn't due to my severely outdated certbot package (something I realized shortly after making this post).

Topic		Replies	Views
Getting certbot to trust non_public CA Cert Chain on Windows Help	4	1195	July 21, 2021
Changing the ca-bundle with custom --server Client dev	5	1049	July 20, 2019
Adding root cert to trust store on Linux Help	4	2260	March 7, 2021
Certbot creates cert.pem without intermediate certificate Help	30	2435	September 9, 2023
Setting up ACME for my server Help	18	381	September 17, 2025

Specify custom CA with certbot

Related topics