On 2025/07/28 07:58, Adriano Barbosa wrote:
> On Sun, Jul 27, 2025 at 09:27:58PM +0000, Lloyd wrote:
> > +	domain full chain certificate "/etc/ssl/example.com.crt"
> >  	# Test with the staging server to avoid aggressive rate-limiting.
> >  	#sign with letsencrypt-staging
> >  	sign with letsencrypt
> > 
> 
> Or just add the desired certificate:

> --- acme-client.conf.orig	Mon Jul 28 07:51:23 2025
> +++ acme-client.conf	Mon Jul 28 07:52:01 2025
> @@ -27,6 +27,7 @@
>  	alternative names { secure.example.com }
>  	domain key "/etc/ssl/private/example.com.key"
>  	domain full chain certificate "/etc/ssl/example.com.fullchain.pem"
> +	domain certificate "/etc/ssl/example.com.crt"
>  	# Test with the staging server to avoid aggressive rate-limiting.
>  	#sign with letsencrypt-staging
>  	sign with letsencrypt

You need the chain certificate as well, otherwise it will fail for
some clients.

Most gui browsers will work because they either can use a cached
intermediate from verifying some other cert, or because they go
off to the AIA URL in the cert to fetch it, but most other clients
don't so this.

https://incomplete-chain.badssl.com/