I wanted to use the Let’s Encrypt certificate with my Nginx server. This is something really simple in principle. Here’s the catch: if something goes wrong, there is nothing telling you where to search.
First, I got a certificate from Let’s Encrypt. There’s like a billion articles on this subject online, I just used acme.sh. It works, even if the documentation could be improved.
Just a reminder: DNS management means you’ll have to change things in your DNS each time you will have to renew your certificates.
Nginx is happy: I give it the certificate I got from LE, stored in /root/.acme/ndd/ndd.cer. When I visit my websites with the different browsers I use, everything is fine.
Problem: git cannot access my website and tells me it can’t verify my certificate.
$ git clone https://example.com/Something/there.git/
Cloning into 'there'...
fatal: unable to access 'https://example.com/Something/there.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: noneThe problem seems to be that I don’t have on my computer the right certificates for certification authorities. But, actually, I do have them.
So, what’s going on? Git (actually, curl) needs to access an HTTS website, which is perfectly OK on browsers, but tells me it’s not. Who’s lying?
Now, here what I learned the last time I configured my Nginx: you have to provide a full-chained certificate. Nginx is perfectly OK with the one provided by acme.sh that you find in /root/.acme/ndd/ndd.cer but it’s actually partial! You only have your certificate, not the intermediary ones.
To get the intermediary certificates, I downloaded them on whatsmychaincert.com. It tests the certificate chain and provide intermediaries if your website doesn’t provide them.
Getting everything working is a piece of cake:
# cat /root/.acme/ndd/ndd.cer chain.cer > full-chained-ndd.cer That’s great… but I do think this information could have been simpler to solve.
I followed the acme.sh guide to get a certificate, and I got one. The configuration was OK for nginx, so I didn’t check the guide for a configuration error, since it wasn’t an actual error. Then, I used my browsers and they seem fine. Finally, I got an error from git (and curl), and it wasn’t clear at all.
I searched for hours.
Thanks SSLMate, you did a great job providing an online tool to test this specific problem.