How can I properly convert the certificates obtained by Caddy from LE into a fullchain?

Help
1

1. Caddy version (caddy version): v2.1.1 h1:X9k1+ehZPYYrSqBvf/ocUgdLSRIuiNiMo7CvyGUQKeA=

2. How I run Caddy:

a. System environment:

Void Linux running in KVM, Caddy gets started via Runit and is run inside a minijail sandbox.

b. Command:

minijail0 -l -n -v -b /etc/resolv.conf -b /etc/ssl/ -u caddy -g fantasycookie17 -C /srv/caddy /caddy run

c. Service/unit/compose file:

#include <stdio.h>
#include <unistd.h>

int main() {
    char* argv[] = { "-l", "-n", "-v", "-b", "/etc/resolv.conf", "-b", "/etc/ssl/", "-u", "caddy", "-g", "fantasycookie17", "-C", "/srv/caddy", "/caddy", "run", NULL };
    char* envp[] = { "HOME=/home", NULL };
    execve("/usr/bin/minijail0", argv, envp);
    return 1;
}

d. My complete Caddyfile or JSON config:

Caddyfile:

{
	http_port 8008
	https_port 8443
	admin off
}

fantasycookie17.cf {

	root * /htdocs/fantasycookie17.cf/

	import /headers

	tls {
		protocols tls1.3
		curves x25519
	}

	encode zstd gzip
	templates {
		between "{[" "]}"
	}

	file_server {
		browse /htdocs/browsetemplate.html
	}

}

nextcloudsrv.tk {

	root * /htdocs/nextcloudsrv.tk/

	import /headers

	tls {
		protocols tls1.3
		curves x25519
	}

	encode zstd gzip

	file_server

}

fantasycookie17.onederfultech.com {

	root * /htdocs/fantasycookie17.cf/

	handle /.well-known/matrix/* {
		file_server
	}

	handle {
		redir https://fantasycookie17.cf{uri} permanent
	}

	import /headers

	tls {
		protocols tls1.3
		curves x25519
	}
}

headers:

header {
	# Security
	Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
	X-Content-Type-Options nosniff
	X-Permitted-Cross-Domain-Policies none
	Referrer-Policy no-referrer
	Feature-Policy "accelerometer 'none'; autoplay 'none'; camera 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; usb 'none'"
	Expect-CT "max-age=31536000, enforce"

	#Privacy
	Tk N

	#Caching
	/static/* Cache-Control max-age=345600
	
	#Allow Matrix clients to work
	header /.well-known/matrix/client access-control-allow-origin "*"
}

#CSP
route {
	header 				Content-Security-Policy "default-src 'none'; style-src 'self'; img-src 'self'; base-uri 'self'; block-all-mixed-content; frame-ancestors 'none'; form-action 'self'; require-trusted-types-for 'script';"
	header /services/stickerpicker/* Content-Security-Policy "default-src 'self' https://fantasycookie17.onederfultech.com:8448; base-uri 'self'; script-src 'self'; block-all-mixed-content; form-action 'self'; require-trusted-types-for 'script';"
}

#MIME
route {
	header *.html			Content-Type text/html
	header */			Content-Type text/html
	header *.css			Content-Type text/css
	header *.js			Content-Type text/javascript
	header *.png			Content-Type image/png
	header /favicon.ico		Content-Type image/png
	header *.json 			Content-Type application/json
	header /.well-known/matrix/*	Content-Type application/json
	header /downloads/zsh*		Content-Type text/plain
	header *.zip			Content-Type application/zip
	header *.xml			Content-Type application/xml
}

3. The problem I’m having:

I want to use the certificates that Caddy obtains from Let’s Encrypt for other services as well. However, to make them trusted, a full chain certificate is needed, which isn’t what Caddy fetches.

4. Error messages and/or full log output:

void-caddy# openssl verify fullchain.pem      
fullchain.pem: CN = fantasycookie17.cf
error 20 at 0 depth lookup:unable to get local issuer certificate

5. What I already tried:

My script I use that I think should work for generating the full chain, however, it doesn’t:

#!/bin/sh

cd /srv/caddy/home/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/

openssl x509 -in fantasycookie17.cf/fantasycookie17.cf.crt -out fantasycookie17.cf/fantasycookie17.cf.pem -outform PEM
cat fantasycookie17.cf/fantasycookie17.cf.pem /etc/ssl/lets-encrypt-r3.pem /etc/ssl/certs/ISRG_Root_X1.pem > fantasycookie17.cf/fullchain.pem
rm fantasycookie17.cf/fantasycookie17.cf.pem

scp -r fantasycookie17.onederfultech.com/ caddy@192.168.100.13:/srv/caddy/tls/
scp -r fantasycookie17.cf/ tls-manager@192.168.100.60:/etc/ssl/

Note: /etc/ssl/lets-encrypt-r3.pem was downloaded from https://letsencrypt.org/certs/lets-encrypt-r3.pem.

6. Links to relevant resources:

How can I get fullchain certificate from Caddy? is basically the same question, however, it did not really get answered, with OP resorting to Certbot instead (I used to use Certbot, however, for various reasons I do not use it anymore).

2

Please upgrade to Caddy v2.3.0!

You can’t use path matchers within a header block – you’ll need to split those out to their own header directive lines instead. Caddy will be turning those into header replacement operations, which don’t make sense here (see the output of caddy adapt --pretty to see what I mean)

Most of these won’t work either, because inline path matchers must begin with /. So you’ll need to use a named matcher for each of these. You might want to use import with args to avoid repetition.

But actually, you shouldn’t even need most of these, because Caddy should handle mime types automatically. Make sure you have the mailcap package, or whatever is the equivalent on void linux, available to Caddy, which provides the mapping of file extensions to their MIME types (MIME types are a concept from email, but was adopted by web servers for a similar purpose).

This probably isn’t necessary, because the .crt files from Caddy are already PEM files (just a different file extension).

One trick you could use, if your site is accessible with a web browser – open your site with Firefox, click on the :lock: in the address bar, click the :arrow_right: to view details, click “More Information”, then click “View Certificate”. You’ll see a new tab with the details of the certificate chain from the connection. In there, there’s a link to download or view the full chain under a PEM (chain) link.

You can then compare your CLI commands’ output against that, to see if they match. The ones in CLI may have newlines every 64 chars of the base64, but that’s just an optimization for human readability and shouldn’t affect behaviour.

1 Like
3

Strange. I actually thought I had my system set up in a way where it updates automatically…

I’ll keep that in mind.

Thanks, I’ll look into that.

They’re in fact not the same. Output of what my script does:

-----BEGIN CERTIFICATE-----
MIIEYDCCA0igAwIBAgISBCu5YRJRMYkP2ZpzffC6gCIXMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTAxMjQxODUyMjJaFw0yMTA0MjQxODUyMjJaMB0xGzAZBgNVBAMT
EmZhbnRhc3ljb29raWUxNy5jZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGvw
jAJb8COaErbAw2RtrYyxJhDX3GUX9HxTbQ4FJAA2hNTMW94hUMLJzK0O6amwB9cn
vO1A3BbqQOADc5O1/I+jggJOMIICSjAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFK0k
2oF1bNT4X13Hd9hWt9nemRiBMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYfr52L
FMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8ubGVu
Y3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMB0GA1Ud
EQQWMBSCEmZhbnRhc3ljb29raWUxNy5jZjBMBgNVHSAERTBDMAgGBmeBDAECATA3
BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNy
eXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AFzcQ5L+5qtFRLFemtRW
5hA3+9X6R9yhc5SyXub2xw7KAAABdzX0W0QAAAQDAEgwRgIhAMivBPPqvMctM8cw
82/lX7SotosBX0qb5N+LAaCjacROAiEA8yETSN/72k369Cidpy9hvn4EfwHVBZLB
0nt5mTU317gAdgB9PvL4j/+IVWgkwsDKnlKJeSvFDngJfy5ql2iZfiLw1wAAAXc1
9FtvAAAEAwBHMEUCIH6K16vdgbOva/qnM7AB+Qqgia56w7o1YRL1KpZfGOqXAiEA
40d2FE/k1jsXPvOp3nn8OkL7/gdReC/8xnDHNOX0K64wDQYJKoZIhvcNAQELBQAD
ggEBAJaEAtjVd2n4xE0gTyalRVc1+FeCZh4/SeH+DJt1iG/J71jb7gIkydiL97Sd
xifqpYuuNvd/OVu/UfgByJQqBWD2iEBEbNS7cmcSAR5+ksGaqtKQr1/QyEQaXh2s
+YofZvavu59kh5/7X23AC/RUhfr+yfeYVaZquusencZrXIzSpBg7na65XzY1NS6F
MbY2lZf/YTBgyxsZ3pqM2zgvTEM9ikGDTynP7E74zOGowvWr2zj+j01QZkW5Cj1L
wGqPb6B5/O1/x3WOmAiz0zZiengpzL/DuM1i1JU6xDDR4sG8WBIJy9KPd+2Qo6hG
Ue0mDxoUDFF2T/VOY3g9RS7S2os=
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----

What Caddy serves:

-----BEGIN CERTIFICATE-----
MIIEYDCCA0igAwIBAgISBCu5YRJRMYkP2ZpzffC6gCIXMA0GCSqGSIb3DQEBCwUAMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJSMzAeFw0yMTAxMjQxODUyMjJaFw0yMTA0MjQxODUyMjJaMB0xGzAZBgNVBAMTEmZhbnRhc3ljb29raWUxNy5jZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGvwjAJb8COaErbAw2RtrYyxJhDX3GUX9HxTbQ4FJAA2hNTMW94hUMLJzK0O6amwB9cnvO1A3BbqQOADc5O1/I+jggJOMIICSjAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFK0k2oF1bNT4X13Hd9hWt9nemRiBMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMB0GA1UdEQQWMBSCEmZhbnRhc3ljb29raWUxNy5jZjBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AFzcQ5L+5qtFRLFemtRW5hA3+9X6R9yhc5SyXub2xw7KAAABdzX0W0QAAAQDAEgwRgIhAMivBPPqvMctM8cw82/lX7SotosBX0qb5N+LAaCjacROAiEA8yETSN/72k369Cidpy9hvn4EfwHVBZLB0nt5mTU317gAdgB9PvL4j/+IVWgkwsDKnlKJeSvFDngJfy5ql2iZfiLw1wAAAXc19FtvAAAEAwBHMEUCIH6K16vdgbOva/qnM7AB+Qqgia56w7o1YRL1KpZfGOqXAiEA40d2FE/k1jsXPvOp3nn8OkL7/gdReC/8xnDHNOX0K64wDQYJKoZIhvcNAQELBQADggEBAJaEAtjVd2n4xE0gTyalRVc1+FeCZh4/SeH+DJt1iG/J71jb7gIkydiL97SdxifqpYuuNvd/OVu/UfgByJQqBWD2iEBEbNS7cmcSAR5+ksGaqtKQr1/QyEQaXh2s+YofZvavu59kh5/7X23AC/RUhfr+yfeYVaZquusencZrXIzSpBg7na65XzY1NS6FMbY2lZf/YTBgyxsZ3pqM2zgvTEM9ikGDTynP7E74zOGowvWr2zj+j01QZkW5Cj1LwGqPb6B5/O1/x3WOmAiz0zZiengpzL/DuM1i1JU6xDDR4sG8WBIJy9KPd+2Qo6hGUe0mDxoUDFF2T/VOY3g9RS7S2os=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFowMjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMTAlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLsjVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKpTm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnBU840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1RoYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kHejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfLqjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9pO5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2TwUdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVowPzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQDEw5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4Orz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEqOLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9bxiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaDaeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqGSIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXrAvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZzR8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYoOb8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
4

One difference I see is you have an extra newline there between the ASCII armor. That’s probably incorrect.

And what Caddy serves seems to be the same leaf cert and intermediate cert, but a different root cert.

Please note that once you upgrade to Caddy v2.3.0, Caddy may use either ZeroSSL or Let’s Encrypt as an issuer, so if you must, you may want to lock to just one issuer for practical reasons (I wouldn’t recommend it because having more than one issuer gives you redundancy, but anyways).

5

Can you expound on this? Let’s Encrypt’s root is already in the major trust stores.

There are now multiple chains of trust that can be made for Let’s Encrypt certificates.

This is a different situation, as that thread is about Caddy’s self-signed root, which needs to be installed into a trust store or manually trusted. You’re asking about Let’s Encrypt, which is already in the trust stores.

To build a complete chain, if really necessary, you just need to append the proper root PEM block to the end of the leaf and intermediate PEM blocks. (Be careful about extra newlines.) If I’m not understanding… what is still not working? :thinking:

6

It’s what the actual file looks like though. When I just read fantasycookie17.cf.crt, I also get the same result.

Indeed, that’s what I noticed as well. Not sure why.

Well, it definitely used LE in my case, but I’ll look into locking it to that. My CAA record prohibits anything else anyway.

Sure? Can’t find it anywhere in /etc/ssl/certs/. Only ISRG and DST…

I don’t know. That’s basically what I tried to do… All I know is that both Mumble and openssl don’t seem to like the certificate I generated.

7

Your full chain should only have 3 certificates: root, intermediate, and leaf. Caddy serves intermediate and leaf. You just need to append the root. It looks like the output of your script produces 4 certificates.

8

Indeed, it does. The certificate Caddy provides contains two certificates already, of which, interestingly enough, the second one can be verified, whereas for some reason whenever the first one is present prior to the second one, openssl verify returns an error, with or without a trailing newline after the first one. My script appends both the Let’s Encrypt and ISRG certificate, however, neither changes anything.

9

Interesting… I don’t know too much about openssl, but maybe this article will help:

There’s also something to be said for latest versions, just something to consider in case you’re running an older version. I think newer versions of most TLS clients should be able to find a valid chain rather than expecting the chain of trust to be so rigid.

You might also check the Let’s Encrypt forums. I know stuff like this is talked about all the time, and that community is way larger and more equipped to help. For example:

Good luck! Let us know what you find out.

10

I actually read this article when I wrote this script. Interestingly enough, when going through it again today, I noticed
openssl verify -CAfile /etc/ssl/certs/ISRG_Root_X1.pem -untrusted /etc/ssl/lets-encrypt-r3.pem fantasycookie17.cf.crt
returned
fantasycookie17.cf.crt: OK.

The first comment on the post you linked was interesting…

I’m not sure that openssl verify is intended to be run against a file agglomerating Ca files and certificate.

Perhaps this explains it and it was just Mumble being weird or so? I’ll try this again…

1 Like
11

Mumble still doesn’t like the cert that is generated… And again, the root cert is different… But yes, perhaps I may have better luck at the LE community.

12

Sorry, I’m lost :sweat_smile: Which root? Different from what exactly?

13

The ISRG root cert and the LE intermediate cert both are different from whatever cert Caddy serves as a root cert.

14

This topic was automatically closed after 30 days. New replies are no longer allowed.