Specify custom CA with certbot

Running certbot register --agree-tos -m admin@foo.bar --server https://ca.foo.bar --no-eff-email results in "certificate verify failed". The following commands do not fail verification:

  • curl https://ca.foo.bar --cacert /path/to/ca.pem
  • openssl s_client -connect ca.foo.bar:443

The full chain (subordinate CA) has been imported into the trust store of the host (as indicated by the success of the openssl command). certbot is 1.3.0.

I'm running my own CA with a custom ACME web server implementation. Is there a way to specify a .pem path?

On linux, apps and/or runtimes can have their own trust stores and a lot depends on how they were installed and which libraries they use etc.

Here is a guide using a Custom CA which sets an environment variable to give certbot a custom root to trust:

4 Likes

That did it!

The resulting command ends up being REQUESTS_CA_BUNDLE=/path/to/ca.pem certbot register --agree-tos -m admin@foo.bar --server https://ca.foo.bar --no-eff-email

Glad it wasn't due to my severely outdated certbot package (something I realized shortly after making this post).

2 Likes