Open hryamzik opened 4 years ago
Hi.
simp_le
was never ever designed to work with self signed cert.
just ignore it if it's not valid. I can't start web server without a cert, I can't issue a cert without a web server.
I can't imagine a self signed cert would actually work for bootstrapping anyway -- I would expect the ACME server to complain and refuse to connect.
It doesn't care. I've used this approach since letsencrypt was introduced.
As a workaround I've added rm -v fullchain.pem
before first simp_le
run and everything worked as expected.
I suppose I don't have an objection to simp_le
just issuing a warning in this case. I'd be willing to accept a patch that changed the behavior.
I think the issue here might be that simp_le
expects the certificate and the intermediate in fullchain.pem
(the two PEM encoded messages it alludes to).
It doesn't care.
I confirm that, ACME does not validate certificates to avoid being locked with an expired one that can't be renewed.
@hryamzik could you try replacing -out fullchain.pem
with -out cert.pem
in your openssl
command ?
it's just the filename. And if I point nginx to cert.pem it won't get a full chain. when letsencrypt cert is generated.
I create a self-signed cert to let nginx start:
simp_le
fails with the following message: