After struggling for a while, I finally got LE to issue the certificates I wanted, but they don’t seem to validate. That is if I run “openssl s_client -connect dw.cameron.edu” I get a the following.
CONNECTED(00000003) depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/CN=dw.cameron.edu i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- MIIFADCCA+igAwIBAgISA3IJLHapbQWvNnqwk46qVndpMA0GCSqGSIb3DQEBCwUA ... tHGuYeY0sds6FK7jWPq2XTsGjC/vTvSJpC/JcLwrN9pZPTIb -----END CERTIFICATE-----
I’m working with an Apache 2.2.3 server. When the certs were generated, I received four files cert1.pem, chain1.pem, fullchain1.pem, and privkey1.pem. The private key was easy to install. My server has ca.pem file that holds the certificate chain and a localhost.crt file that holds the certificate. I have tried installing the cert two different ways (well, actually as many ways as I can think of, but these are the main ones). I copied the fullchain1.pem file over to the ca.cert file and removed the bottom cert and moved it into the localhost.crt file. That didn’t work. I also tried copying the chain1.crt into ca.pem and cert1.pem into localhost.crt. The Apache setting are below.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateChainFile /etc/pki/tls/certs/ca.pem
Why can’t my server validate these certs?