Using acme.sh client to automatically chain files

Hi all,

I don’t have a problem obtaining a certificate, but rather I’m looking to see if this is possible…

I am running this command:

./acme.sh --issue --accountemail "email@mydomain.com" --dns dns_dreamhost -d mydomain.com --cert-file "/path/to/server/cert.pem" --key-file "/path/to/server/key.pem"

This is successfully issuing a certificate using DNS-01 with my DreamHost API Key. It really couldn’t have been simpler.

We’re running 4D Web Server, and it is looking for the key.pem and cert.pem files in that path. This is working fine. The problem that I just realized existed was that the cert.pem didn’t have the Intermediate Certificate chained to it. I manually added the contents of the intermediate file after the contents of the cert.pem file and it works fine and now validates.

It it possible for the command line to chain these for me and copy to the paths currently in my command?

If it matters, I’m running this on macOS.

I believe I tried using the full chain cert only in the 4D server path and it didn’t work.

1 Like

Instead of:
--cert-file "/path/to/server/cert.pem"
use:
--fullchain-file "/path/to/server/fullchain.pem"

1 Like

I just discovered this…

Is this just the cert and the intermediate or does this also include the key?

1 Like

The (private) KEY is NEVER included in publicly served files.
In other words…
Change:

./acme.sh --issue --accountemail "email@mydomain.com" --dns dns_dreamhost -d mydomain.com --cert-file "/path/to/server/cert.pem" --key-file "/path/to/server/key.pem"

To:

./acme.sh --issue --accountemail "email@mydomain.com" --dns dns_dreamhost -d mydomain.com --fullchain-file "/path/to/server/fullchain.pem" --key-file "/path/to/server/key.pem"
1 Like

Got it… I think it is working. I thought I tried that when I was originally trying to get the cert to work manually.

I eventually realized I was also troubleshooting macOS not allowing 4D Server to run on port 443 even as an authenticated admin user. Still haven’t figured out how to get that to work, so I’m using port 440. The 4D app has a helper app that starts the web server supposedly for ports <1024. It works for port 80 but I can’t get 443 to bind and nothing else is using it.

1 Like

If your clients are coming from the Internet, then you can simply NAT (port forward) the external IP:443 to your internal IP:XXXXX
[which means you can use any port (even those above 1024)]

If your clients are on the same internal network… then keep reading and good luck :slight_smile:

1 Like

Actually, I’ll point out that I’m copying the fullchain file to cert.pem still. 4D doesn’t recognize other file names to my knowledge…

1 Like

I thought about NAT translating the ports but honestly I’m hoping to fix the problem… It’s just used for some XHR data pulling so once the URL is set, it doesn’t matter what it is really…

1 Like

That’s OK, you can use any name you like.

Then using a high port could get this working immediately.

1 Like

In review, I may not have clearly answered this question.
The key is ONLY contained in the key file.
Yes, the full chain file does contain the cert and the intermediate(s).

1 Like

Update… Turns out the fullchain-file from the command string only partially works. I tested it in a few free TLS checkers and some came back fine but some failed.

When I looked at the PEM file, there was an empty line between the two certificates in the chain. To my knowledge this is against the standard format. I removed that line and the test passed in one that failed before. Is there a way for this extra line to not happen automatically?

image

1 Like

Hi @muzicman82

then the failing TLS checkers are buggy.

The extra line shouldn’t be a problem.

1 Like

Possibly, but I’m also troubleshooting a php cURL Error 60 with DreamHost and a 3rd party plugin that does Webhooks. It says it can’t validate the certificate. Then, I ran the checker a couple days ago and realized it failed because I wasn’t using the fullchain file. When that line is gone, it works fine. So is php cURL broke?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.