SSL Create Certificate Chain?

I've read the instructions here https://www.inductiveautomation.com/resources/article/lets-encrypt-guide-for-ignition
I ended up using https://www.win-acme.com/ (I'm on Windows) but I can't figure out how to create the root CA certificate from what is generated by Let's Encrypt.
Specifically the part that says:

As of the time of this writing, Let’s Encrypt is using DST Root CA X3 as the root CA cert. Copy its contents to a .pem file in a well-known location on your server and let’s reference it as $ROOT_CA_CERT in this document.

Would anyone be able to give some help on this? Thanks!

Concatenate the PEM files. In signing order (root last).

Thanks. So I figured out that I can download the root (missed that before) from here:
https://www.identrust.com/dst-root-ca-x3

But when I concatenate the pem files (with that root one at the bottom) it gives the error: A duplicate certificate was detected

If I just concatenate the chain-only with the root it gives the error: Unable to verify the certificate chain of trust

Am I using the wrong root file?

Try just the root file in that last box. You might only have a three-level complete chain. Or otherwise exclude what you put in the other boxes.

1 Like

Ah, a few things were wrong on my end. I needed to specify Acme.PreferredIssuer to be “ISRG Root X1” in settings.json for WIN-ACME and download that X1 pem from https://letsencrypt.org/certificates/ and then yes, I just needed the root in that last box, nothing concatenated. Thanks for your help!

1 Like