fullchain.pem

[JoyceBabu]

How can I generate fullchain.pem? Why isn't it generated with the other files?

[xenolf]

Hello there! The file we generate only has the intermediate and the client certificate in it which should generally be enough. What is your usecase where you need the CA cert as well?

[JoyceBabu]

I did not realize that the .crt file contained the Lets Encrypt CA certificate too. Sorry.

[im7mortal]

To generate fullchain.pem

certificates, failures := client.ObtainCertificate([]string{"example.com"}, b, nil, false)
// ...
fullchain := []byte{}
fullchain = append(fullchain, certificates.Certificate...)
fullchain = append(fullchain, certificates.IssuerCertificate...)

Then

ioutil.WriteFile("cert.pem", certificates.Certificate, 0644)
ioutil.WriteFile("chain.pem", certificates.IssuerCertificate, 0644)
ioutil.WriteFile("fullchain.pem", fullchain, 0644)
ioutil.WriteFile("privkey.pem", certificates.PrivateKey, 0640)

[Poikilos]

Uh, where does that code go?

Use cases:

• weechat (my case)
• znc: https://community.letsencrypt.org/t/all-in-one-certificate-file-for-obscure-server-software-znc/3717/4
  • mentions to combine, in order, privkey.pem, cert.pem, chain.pem
  • for me, this worked for znc:

SOLVED for ZNC

ZNC_CERTS_DIR=/home/znc/.znc/certs
mkdir -p $ZNC_CERTS_DIR || exit $?
cp -p /var/letse/$LETSE_USER/certificates/example.com.* $ZNC_CERTS_DIR/ || exit $?
cd $ZNC_CERTS_DIR || exit $?
cat *.key *.crt                >  znc.pem
cat /etc/ssl/certs/dhparam.pem >> znc.pem
chown znc:znc -R $ZNC_CERTS_DIR || exit 1 
# restart znc here (set service to run as znc user)

Examples not using lego:

• Self-signed: https://blog.weechat.org/post/2012/07/27/SSL-in-Relay-plugin
• certbot: https://gist.github.com/Chaz6/acf4774b8d71f153f51af57b8ea8bcda
• acme.sh: https://gist.github.com/meskarune/3f026c1a776ae54bdc139949e6f949c4
• certhub: https://certhub.readthedocs.io/en/latest/certhub-lego-run.1.html

Related issues:

• 316

  • which cites: https://github.com/go-acme/lego/issues/1264#issuecomment-702559799

SOLVED for weechat

Used different order for weechat recommended by Glowing Bear's Getting Started, constructing fullchain.pem same way as "where does that code go" above:

RELAY_DOM=example.com
RELAY_CERTS_DIR=/home/weechat/.weechat/certs
# ^ weechat's default location for relay.pem
mkdir -p $RELAY_CERTS_DIR || exit $?
cp -p /var/letse/$LETSE_USER/certificates/example.com.* $RELAY_CERTS_DIR/ || exit $?
cd $RELAY_CERTS_DIR || exit $?

cat $RELAY_DOM.crt $RELAY_DOM.issuer.crt > fullchain.pem
cat fullchain.pem $RELAY_DOM.key > relay.pem
# ^ key last as per Glowing Bear "Getting Started" guide

chown weechat:weechat -R $RELAY_CERTS_DIR || exit 1 
# restart weechat here (set service to run as weechat user)

• get relay etc:

  sudo apt install weechat-plugins

• First, to avoid getting stuck in chat (tell me if u know how to get back to weechat buffer...), run it with --no-connect such as:

  su weechat -
  killall weechat
  killall weechat-headless
  weechat --no-connect

• I had to enable the relay plugin manually on weechat 2.3:

  /plugin load relay
  /set plugins.autoload "relay"
  /relay sslcertkey
  /save

• And I set auth to TLS as recommended by Glowing Bear.

  /set relay.network.password <see weechat relay password>
  /set relay.network.ssl_priorities "NORMAL:-VERS-TLS1.0:-VERS-TLS1.1"
  /set relay.network.ssl_dhkey_size 4096
  /relay sslcertkey
  /relay listrelay
  /relay del weechat
  /relay sslcertkey
  /relay add ssl.weechat 9001
  /save
  /quit

Remaining concerns:

• "Uh, where does that code go?" (above is a workaround based on that code)
• Still, it would be nice to configure lego to generate fullchain.pem (and document which file is the private key), instead of this whole process being in the form of tribal knowledge.