Where is Bundle file?

My domain is:

I ran this command:
sudo apt-get install certbot -y

sudo certbot certonly --standalone --preferred-challenges http --agree-tos --email test@test.com -d test.test.com

It produced this output:
privkey.pem : the private key for your certificate.
fullchain.pem: the certificate file used in most server software.
chain.pem : used for OCSP stapling in Nginx >=1.3.7.
cert.pem : will break many server configurations, and should not be used
without reading further documentation (see link below).

The operating system my web server runs on is (include version):
ubuntu 22

I want to download my Bundle file which the extension is .crt .
how can I download it ?
i used cerbot command to generate ssl for my domain


Hi @saeedasadi,

The fullchain.pem file is probably the bundle that you're looking for.


Hello Thanks alot
so can I rename it to fullchain.crt

fullchain.pem is public key too ?

You can rename it but it should work without. A .pem is the same format as .crt

No, the privkey.pem is the private key. The fullchain is your "leaf" cert with the "intermediate" chain certs


I got confused.

I must upload 3 files in my CDN panel:
1- Certificate File (.crt)
2- Private Key File (.key)
3- Bundle File (.crt)

and these are files that Cerbot command installed on my domain on vps:

please help to determine that 3 file which is needed by CDN panel.

You could try this.

cert.pem is 1
privkey.pem is 2
chain.pem is 3

If that does not work ... What does your panel or hosting provider say is required for those files? Is there a description?


And note that if you're dealing with these files directly, you're almost certainly doing things in the most convoluted and difficult way possible. Ideally, your control panel has a button that just gets a certificate for you. If your hosting provider is malicious enough to not provide that to you as an included service, if you can run PHP scripts you might be able to use CertSage.


1- I setup a v2ray vpn on OVH server.
2- I want to tunnel from second server to OVH server by my country CDN provider.
3- I add A RECORD on my cdn provider and point it to OVH server.
4- because I installed lets encrypt ssl on OVH server , I dont want to use CDN's ssl by default.
5- so I must import my server ssl files to That CDN provider.
6- cdn provider needs this ssl files:
Certificate File (.crt)
Private Key File (.key)
Bundle File (.crt)

Let me see if I understand you...
You want to use a CDN [to bypass some restriction].
But you don't want to use the CDN cert [to ensure your privacy].
You are willing to manually upload a file [every 60-90 days] to main this privacy.
You have to provide the CDN your cert and private key to build this private VPN.

Once you provide anyone your private key, they can decrypt your session.
So, to me, it makes no security difference which cert the CDN uses.
But it would be simpler/automated if you used the CDN cert.

That said...
I think you might be able to tunnel securely through a "potentially insecure" tunnel.
I mean that you could encrypt the conversation from your IP to your VPN through an intermediate HTTPS connection provided by that CDN.


Hello Thanks
yes Exactly.
because my country limited all VPNs with foreign-vps location , we must use our country CDN to hide foreign-vps IP and we called this as Tunnel.
when I want to use CND's ssl , our vpn didn't work.
because on VPN panel configuration , I must enter the path of public and private key to provide https for VPN panel adress.
look at this image:

if i install CDN ssl , how can I assign it the ssl path on VPN panel like this image?

You should not be using the same cert in both locations.
The CDN will have its' own cert.
Your panel/VPN will have its' own cert.

The solution I proposed is not something you can find on a very primitive menu.
At a minimum, it would require using a proxy [to create the "insecure tunnel"] at both "ends".
And then you can use the "proxy path" to reach the VPN.

In a secure implementation, the CDN is essentially only used to create a private route over the Internet. to connect A to B through C(DN) [when A is not able to reach B directly].
The route through A-C-B would have to be forced (via proxy) when anything A (or behind A) is trying to reach anything B (or beyond B) [that is not A to B].

Maybe a picture will help explain:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.