1

I test my SSL setup using the SSL Labs test which says that certificate chain is incomplete (no other problems otherwise). That seems about right since I can't get Telegram webhooks to work (great explanation in the Telegram webhook guide).

As stated here, when setting up SSL certificates using Nginx, I need to get all certificates (including intermediate ones) in order. I'm using Let's Encrypt (letsencrypt.org/certificates) and I'm trying to figure out what the correct order of certificates would be.

I've tried concatenating cat cert.pem lets-encrypt-r3.pem > bundle.pem and using bundle.pem but no luck. Perhaps more intermediate certificates of the ones listed on letsencrypt.org/certificates should be included but it's unclear to me which ones and in what order.

I would be very grateful for any hints or pointers on where to read up more!

tsotsi
  • 683
  • 2
  • 8
  • 20
  • 1
    Instead of `cert.pem` use `fullchain.pem` which already includes all of the intermediate certificates and your certificate in the correct order. – Richard Smith Jan 15 '21 at 11:21
  • Thanks for the comment! That was the first thing I'd tried and got me *certificate chain is incomplete* on SSL Labs in the first place. Can you think of anything else I could double check? – tsotsi Jan 15 '21 at 11:24

1 Answers1

1

With Certbot-generated certificates you don't need to concatenate anything. Use the following configuration:

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
Danila Vershinin
  • 8,725
  • 2
  • 29
  • 35