On Sun, 2016-04-10 at 18:59 +0100, Russel Winder wrote: > On Sun, 2016-04-10 at 11:35 -0400, Igor Gnatenko wrote: > > > > Can you try this? > > > > SSLCertificateFile /etc/letsencrypt/live/www.russel.org.uk/cert.pe > > m > > SSLCertificateKeyFile /etc/letsencrypt/live/www.russel.org.uk/privkey > > .pem > > SSLCertificateChainFile /etc/letsencrypt/live/www.russel.org.uk/fullc > > hain.pem > Well that made a huge difference. Does this mean I just missed this > third line? What would actually be 'most correct' is just: SSLCertificateFile /etc/letsencrypt/live/www.russel.org.uk/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.russel.org.uk/privkey.pem What the server should make available (in current standard practice) is the full chain of certificates from the CA to its own certificate. Apache since 2.4.8 lets you do this simply by specifying SSLCertificateFile as a single chain file containing all those certificates - which is what letsencrypt's 'fullchain.pem' is. In older Apaches you could only specify a full chain as SSLCertificateChainFile (and I believe you had to specify the server cert as SSLCertificateFile and the chain from issuing CA to root CA as SSLCertificateChainFile), but from 2.4.8 onwards you can just provide the entire chain as SSLCertificateFile and this technically obsoletes the use of SSLCertificateChainFile , though for now Apache will still accept it. See https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile . -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net http://www.happyassassin.net -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: http://lists.fedoraproject.org/admin/lists/test@xxxxxxxxxxxxxxxxxxxxxxx
