Specify custom CA with certbot

tmontney · February 3, 2025, 6:40am

Running certbot register --agree-tos -m admin@foo.bar --server https://ca.foo.bar --no-eff-email results in "certificate verify failed". The following commands do not fail verification:

curl https://ca.foo.bar --cacert /path/to/ca.pem
openssl s_client -connect ca.foo.bar:443

The full chain (subordinate CA) has been imported into the trust store of the host (as indicated by the success of the openssl command). certbot is 1.3.0.

I'm running my own CA with a custom ACME web server implementation. Is there a way to specify a .pem path?

webprofusion · February 3, 2025, 6:52am

On linux, apps and/or runtimes can have their own trust stores and a lot depends on how they were installed and which libraries they use etc.

Here is a guide using a Custom CA which sets an environment variable to give certbot a custom root to trust:

tmontney · February 4, 2025, 3:06am

That did it!

The resulting command ends up being REQUESTS_CA_BUNDLE=/path/to/ca.pem certbot register --agree-tos -m admin@foo.bar --server https://ca.foo.bar --no-eff-email

Glad it wasn't due to my severely outdated certbot package (something I realized shortly after making this post).

system · March 6, 2025, 3:06am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Boulder's functional scople Help	6	448	May 1, 2022
Changing the ca-bundle with custom --server Client dev	5	987	July 20, 2019
Configuring Certbot to connect via proxy Help	9	3274	March 2, 2022
Error in chain.pem and fullchain.pem file Client dev	3	2167	January 3, 2020
Issue with acme keys Help	6	6113	November 20, 2019

Specify custom CA with certbot

Related topics