Am Jam writes: > > Most likely, you're not requesting a full chain from acme-client, or you > > haven't given the full chain certificate a name relayd will pick up > > automatically. > > According to relayd.conf(5), relayd should pick up my full chain > certificate. > > # /etc/ssl > drwxr-xr-x 3 root wheel 512B Dec 27 2021 acme/ > drwx------ 2 root wheel 512B Oct 25 19:57 private/ > -r--r--r-- 1 root wheel 341K Sep 14 19:34 cert.pem > -r--r--r-- 1 root wheel 2.1K Oct 25 19:59 src.domain.io.crt > -r--r--r-- 1 root wheel 3.8K Oct 25 19:59 src.domain.io.fullchain.pem > -rw-r--r-- 1 root wheel 504B Oct 26 17:46 src.domain.io.ocsp > -rw-r--r-- 1 root wheel 504B Oct 26 13:58 src.domain.io.ocsp.pem
relayd will pick up src.domain.io.crt, which is probably not a full chain certificate. It won't pick up src.domain.io.fullchain.pem, which is (probably) a full chain cert. As I can't see your acme-client.conf or your previous httpd.conf that worked without TLS errors, I'm guessing your old httpd.conf specified src.domain.io.fullchain.pem as its certificate instead of src.domain.io.crt, which is why it worked, and your acme-client.conf probably only writes a full chain to src.domain.io.fullchain.pem.
