search

DevelopingSpace / starchart

A self-serve tool for managing custom domains and certificates
MIT License
20 stars 13 forks source link

Confirm certificate received from let's encrypt #490

Closed Ririio closed 1 year ago

Ririio commented 1 year ago

The certificate seems to be rendering duplicates of itself as can be seen here

image

Looking through the database, something seems to be occuring from the back-end for this to occur

image

humphd commented 1 year ago

cc @cychu42

Eakam1007 commented 1 year ago

Small update: Seems like the first part is the user certificate, and the second part is the intermediate certificate

humphd commented 1 year ago

From the LE forums:

  • cert.pem is the certificate for your domain and, among others, contains your public key;
  • chain.pem contains the intermediate certificate, the certificate from Let’s Encrypt containing the public key which is “coupled” to the private key which signed your certificate (the one above). This intermediate certificate is required for clients to verify your certificate;
  • fullchain.pem is a concatenation of cert.pem and chain.pem in one file. In most servers you’ll specify this file as the certificate, so the entire chain will be send at once. Some clients require you to specify the above two files separate. In that case you won’t need fullchain.pem;
  • privkey.pem is, no shocker here, your private key, linked to the public key which is stored in your certificate.

So it sounds like we are showing users the fullchain.pem and privkey.pem. That is probably OK, but we could explain it.

@dadolhay does this match your understanding, too?

Ririio commented 1 year ago

From the LE forums:

  • cert.pem is the certificate for your domain and, among others, contains your public key;

  • chain.pem contains the intermediate certificate, the certificate from Let’s Encrypt containing the public key which is “coupled” to the private key which signed your certificate (the one above). This intermediate certificate is required for clients to verify your certificate;

  • fullchain.pem is a concatenation of cert.pem and chain.pem in one file. In most servers you’ll specify this file as the certificate, so the entire chain will be send at once. Some clients require you to specify the above two files separate. In that case you won’t need fullchain.pem;

  • privkey.pem is, no shocker here, your private key, linked to the public key which is stored in your certificate.

So it sounds like we are showing users the fullchain.pem and privkey.pem. That is probably OK, but we could explain it.

@dadolhay does this match your understanding, too?

How would we know which one of the certificate is which?

Eakam1007 commented 1 year ago

I decoded the certificate with an online tool, and it gave me a common name of Pebble Intermediate CA 345aaa for the second one. The first one had *.user3.starchart.com

humphd commented 1 year ago

@Eakam1007 right, that makes sense. So it's the cert + intermediate cert (Pebble is our Let's Encrypt in dev).

Eakam1007 commented 1 year ago

524 is related to this