I am installing a letsencrypt server on my own server for a virtual host.
After creating the certificate successfully, I get a message like:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.net/privkey.pem
(I have changed the domain to protect the, well, for no reason, actually).
When I look in the directory, I find the following
ls /etc/letsencrypt/live/example.net
cert.pem@ chain.pem@ fullchain.pem@ privkey.pem@ README
So, I have four links pointing to four real files.
In my .conf
file I have something like this (using Version 1):
<VirtualHost *:443>
ServerName example.net:443
ServerAlias *.example.net
ServerAdmin mark@example.net
VirtualDocumentRoot /data/httpd/html/example.net/%-3
SSLEngine on
# Version 1
SSLCertificateFile /etc/letsencrypt/live/example.net/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.net/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.net/chain.pem
# Version 2
# SSLCertificateFile /etc/letsencrypt/live/example.net/fullchain.pem
# SSLCertificateKeyFile /etc/letsencrypt/live/example.net/privkey.pem
</VirtualHost>
I have seen other documentation using Version 2.
The question is: given that the message mentions only two files, and that there are really four files, what is the correct configuration for using letsencrypt with a Virtual Host?
Best Answer
cat cert.pem chain.pem
is equivalent tocat fullchain.pem
. In other words, the fullchain.pem file is just the combination of cert.pem and chain.pem. See the following SuperUser question for more about SSL certificate chains.I'm not certain on the Apache end but it seems like Version 1 simply took in the two files (cert.pem and chain.pem) and then internally concatenated them while Version 2 just asks for the concatenated version. I would assume most web servers now just ask for the SSLCertificateFile (aka the "fullchain.pem") and the private key.