Self solved.
Am 02.04.2021 14:02, schrieb openbsd@crw.name:
> Hello, I need some help to configure my acme-client the right way.
>
> Obtain certificates itself works using OpenBSD -current #434 from April
> 1st.
>
> I have a CAA record
>
> $ dig -t CAA our.bio-planet.earth +short
> 0 issue "letsencrypt.org"
>
> The configuration for httpd.conf and relayd.conf are taken fron honk
> https://cvsweb.openbsd.org/ports/www/honk/pkg/README?rev=1.4&content-type=text/x-cvsweb-markup
>
> The acme-client.conf is taken from /etc/examples/ and the settings for
> the domain are
>
> $ tail -f /etc/acme-client.conf
> domain our.bio-planet.earth {
> domain key "/etc/ssl/private/our.bio-planet.earth.key"
> domain certificate "/etc/ssl/our.bio-planet.earth.crt"
> domain full chain certificate
> "/etc/ssl/our.bio-planet.earth.fullchain.pem"
> sign with letsencrypt
> }
>
> The FQHN equals the domain and I don´t want to use other / sub
> domains. The .crt file is required for the tls keypair part in
> relayd.conf.
>
> If I try to verify the certificate using
>
> $ openssl verify our.bio.planet.earth.fullchain.pem
> CN = our.bio-planet.earth
> error 21 at 0 depth lookup:unable to verify the first certificate
> CN = our.bio-planet.earth
> error 21 at 0 depth lookup:unable to verify the first certificate
> /etc/ssl/our.bio-planet.earth.fullchain.pem: verification failed: 21
> (unable to verify the first certificate)
>
> On the other hand
>
> $ openssl verify /etc/ssl/cert.pem
> cert.pem: OK
>
> How can I fix this as it did not work if I try to use the certs for
> example for prosody.
>
> Thanks and regards,
>
>
> Christoph
No comments:
Post a Comment