Stuart Henderson wrote:

> 
> You need the chain certificate as well, otherwise it will fail for
> some clients.
> 
> Most gui browsers will work because they either can use a cached
> intermediate from verifying some other cert, or because they go
> off to the AIA URL in the cert to fetch it, but most other clients
> don't so this.
> 
> https://incomplete-chain.badssl.com/

The issue is that relayd only accepts certificate names in a manner of templating (under the protocol section), and will by default first attempt to append a colon and port number to the name in addition to the extension, because certs are applied to the individual relays.

Honestly using colons in filenames is something I've always avoided as they are disallowed in certain other filesystems (notably Windows and Macintosh) so you could run into problems transferring certs to/from these other systems. Even if it is permitted on FFS2. The colon is especially problematic on Apple systems as it has special meaning and will be translated to a / in the GUI despite remaining : in the shell.

The intent was to get acme-client to cooperate better with relayd out of the box, even if the inflexibility belongs to relayd.