Need to add Let's Encrypt Intermediate

andyzib / LetsEncrypt-PRTG

Post request script to install an SSL certificate obtained with Certify the Web or win-acme in PRTG.

MIT License

22 stars 7 forks source link

Need to add Let's Encrypt Intermediate #3

Closed andyzib closed 2 years ago

andyzib commented 2 years ago

Need to add Let's Encrypt Intermediate to prtg.cert or SSL Labs will cap grade at B, some devices like iOS may be forced to download the intermediate and get an out of date cert. Just add ISRG Root X1 https://letsencrypt.org/certificates/ (PEM format) to prtg.crt first, then add the actual cert.

andyzib commented 2 years ago

It's been awhile, Intermediate CA is written to root.pem but seems the PRTG webserver doesn't provide the chain to clients.

andyzib commented 2 years ago

Used Paessler Certificate Importer to verify what PRTG wants in root.pem.

prtg.key - Private Key
prtg.crt - Public Cert for PRTG
root.pem

prtg.crt first
subject=C = US, O = Let's Encrypt, CN = R3, issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1
subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1. issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1

Will update script to produce the same results as Paessler Certificate Importer.

andyzib commented 2 years ago

SSLLabs will throw a Chain issues: Contains anchor when Paessler Certificate Importer is used. Removing ISRG Root X1 from root.pem resolves this, and is the proper way. Will update script accordingly. PRTG is happy with this arrangement.