Hello, I need some help to configure my acme-client the right way.
Obtain certificates itself works using OpenBSD -current #434 from April
1st.
I have a CAA record
$ dig -t CAA our.bio-planet.earth +short
0 issue "letsencrypt.org"
The configuration for httpd.conf and relayd.conf are taken fron honk
https://cvsweb.openbsd.org/ports/www/honk/pkg/README?rev=1.4&content-type=text/x-cvsweb-markup
The acme-client.conf is taken from /etc/examples/ and the settings for
the domain are
$ tail -f /etc/acme-client.conf
domain our.bio-planet.earth {
domain key "/etc/ssl/private/our.bio-planet.earth.key"
domain certificate "/etc/ssl/our.bio-planet.earth.crt"
domain full chain certificate
"/etc/ssl/our.bio-planet.earth.fullchain.pem"
sign with letsencrypt
}
The FQHN equals the domain and I donĀ“t want to use other / sub domains.
The .crt file is required for the tls keypair part in relayd.conf.
If I try to verify the certificate using
$ openssl verify our.bio.planet.earth.fullchain.pem
CN = our.bio-planet.earth
error 21 at 0 depth lookup:unable to verify the first certificate
CN = our.bio-planet.earth
error 21 at 0 depth lookup:unable to verify the first certificate
/etc/ssl/our.bio-planet.earth.fullchain.pem: verification failed: 21
(unable to verify the first certificate)
On the other hand
$ openssl verify /etc/ssl/cert.pem
cert.pem: OK
How can I fix this as it did not work if I try to use the certs for
example for prosody.
Thanks and regards,
Christoph
