Hi, i am trying to get a free SSL cert for my maker edition, to validate i own the domain they want to access a txt-file under http://my.domain.ext/.well-known/pki-validation/
MY ignition is installed on debian but i cannot find the correct folder to put it in, i have tried in several places under the webserver directory, but cannot be access
Did you try to follow IA’s instructions for Let’s Encrypt ?
1 Like
No, didnt know there was one,
but in this case i am using zerossl.com
Similar approach as lets.
I managed to get the cname verification going.
So i got my certificate.crt and ca_bundle.crt
But i get stuck on the last(?) step, i dont seem to have the 3rd file
That suggests you need to move your intermediate to your CA. Or possibly your intermediate has multiple concatenated, with the CA in the group.
The problem in this case is that neither i nor zerossl has this intermediate, and i have never had to use a 3rd cert, only have previously used the certificate it self and the ca_bundle cert.
How many certs are in your ca_bundle?
Have you tried leaving the intermediate empty? Have your tried pulling out the first cert in ca_bundle to be the intermediate, then supplying the remaining in ca_bundle as step 4?
Cant get past intermidiate, else i would tried that at first.
both the cert and bundly only has one in each file.
Might aswell go with lets encrypt if it works.
Its worse with lets encrypt. it asks for a 4th and 5th file. and the guide was not helpfull at all, left so much information gone.
Might aswell skip ssl then. Because ignition just keeps asking for more and more files that doesnt exist…
Can you let us take a look at the certs you’re trying to upload?
As long as you don’t upload the private keys it’s all safe to share.
Ok, so the problem here is exactly what Ignition is telling you: you’re missing the root CA.
It’s CN=DST Root CA X3,O=Digital Signature Trust Co., and it’s not included in any of those files.
Probably, im reading around in the forum, but that seems solved
Well the problem you’re running into is the chain you have has the ISRG Root X1 certificate indicating it’s issued by DST Root CA X3, and you don’t have that cert in the chain, and the web UI is dutifully requesting that you upload the next cert.
I’m not sure what the right move here is… DST Root CA X3 is expired, so I’m not sure adding it will help or not. Maybe doing Lets Encrypt via the web UI doesn’t work quite right at the moment.
I got the pem-files via the certbot on debian, but its probably the same that would come via web interface of lets encrypt.
I took the root cert from the browsers storage, the continue button enabled,
but now i get this error
do you have any exceptions in your gateway logs related to this error?
Probably because of this
Caused by: java.security.KeyStoreException: Certificate chain is not valid
can you post the full stack trace? (click the little + icon next to the error message in the logs)
I tried to take the new ISRG X1 root cert from here, but gets a duplicate message