Let's Encrypt is a new CA (Certificate authority) thus it's signing certificate is not installed very widely. This means that many machines do not know that it is to be trusted.
To cure this Let's Encrypt certificate is cross signed by IdenTrust who's certifcate is widely trusted.
So: Let's Encrypt's IdenTrust signed certificate must be given to the connecting client (eg web browser) when a Let's Encrypt signed certificate is given to the client. This is called certificate chaining.
Long term the Let's Encrypt certificate will become widely trusted in it own right.
Apache is easy, the directive SSLCertificateChainFile
is used, see here.
Many other programs do not have a directive like SSLCertificateChainFile
.
For these the chain certificate should be put after the Let's Encrypt signed certificate (ie your certificate) in the same file.
These scripts create such a file for you, it has -chained
as part of the name.
Eg: SignedCertificates/phcl-chained.crt
Next page: Using Let's Encrypt certificates in a non web environment
Return to How to Configure Let's Encrypt with acme_tiny.py
Return to tutorial home.
If you want any help using the above, or have any comments or suggestions, please contact us.