I want to provide a quick update.
It took some time, but renaming the certificates actually worked. I don't
know why it didn't work immediately, despite several "# rcctl restart
relayd" commands, but after some time it just started working.
I no longer receive SSL certificate errors when running "git clone" and
"curl". I also tested a "git push", and it worked perfectly.
Thanks again for your help.
On Sun, Oct 27, 2024 at 10:22 AM Am Jam <intd...@gmail.com> wrote:
> On Sat, Oct 26, 2024 at 11:32 PM Anthony J. Bentley <anth...@anjbe.name>
> wrote:
>
>> relayd will pick up src.domain.io.crt, which is probably not a
>> full chain certificate. It won't pick up src.domain.io.fullchain.pem,
>> which is (probably) a full chain cert.
>>
>> As I can't see your acme-client.conf or your previous httpd.conf that
>> worked without TLS errors, I'm guessing your old httpd.conf specified
>> src.domain.io.fullchain.pem as its certificate instead of
>> src.domain.io.crt, which is why it worked, and your acme-client.conf
>> probably only writes a full chain to src.domain.io.fullchain.pem.
>>
>
> Anthony, thank you for your generous time troubleshooting with me here.
> Your assumptions are correct; however, the obvious solution of renaming the
> fullchain certificate file doesn't appear to work.
>
> # acme-client.conf
> domain src.domain.io {
> domain key "/etc/ssl/private/src.domain.io.key"
> domain certificate "/etc/ssl/src.domain.io.crt"
> domain full chain certificate
> "/etc/ssl/src.domain.io.fullchain.pem"
> sign with letsencrypt
> }
>
> # OLD httpd.conf
> server "src.domain.io" {
> listen on * tls port 443
>
> tls {
> certificate "/etc/ssl/src.domain.io.fullchain.pem"
> key "/etc/ssl/private/src.domain.io.key"
> }
>
> location "/.well-known/acme-challenge/*" {
> root "/acme"
> request strip 2
> }
>
> location "/*" {
> fastcgi socket tcp 127.0.0.1 3000
> }
> }
>
> server "src.domain.io" {
> listen on * port 80
>
> location "/.well-known/acme-challenge/*" {
> root "/acme"
> request strip 2
> }
> location * {
> block return 302 "https://$HTTP_HOST$REQUEST_URI";
> }
> }
>
>
> That httpd.conf was my old httpd-only-no-relayd working config.
> Now that I have relayd up and running, reading your replies made me think
> I could do the following:
>
> # cd /etc/ssl
> # mv src.domain.io.crt src.domain.io.notfullchain.crt
> # mv src.domain.io.fullchain.pem src.domain.io.crt
>
> This does not appear to disrupt the browser pointing to src.domain.io.
> However, "git clone" and "curl" still return the error: SSL certificate
> problem: unable to get local issuer certificate.
>
>
> Many Thanks.
>
>
