From: Stuart Henderson <stu@spacehopper.org>
Subject: Re: acme-client.conf(5): make example relayd(8)-friendly
To: Adriano Barbosa <barbosa.aob@gmail.com>
Cc: Lloyd <ng2d68@proton.me>, "tech@openbsd.org" <tech@openbsd.org>
Date: Mon, 28 Jul 2025 14:38:22 +0100

On 2025/07/28 07:58, Adriano Barbosa wrote:
> On Sun, Jul 27, 2025 at 09:27:58PM +0000, Lloyd wrote:
> > +	domain full chain certificate "/etc/ssl/example.com.crt"
> >  	# Test with the staging server to avoid aggressive rate-limiting.
> >  	#sign with letsencrypt-staging
> >  	sign with letsencrypt
> > 
> 
> Or just add the desired certificate:

> --- acme-client.conf.orig	Mon Jul 28 07:51:23 2025
> +++ acme-client.conf	Mon Jul 28 07:52:01 2025
> @@ -27,6 +27,7 @@
>  	alternative names { secure.example.com }
>  	domain key "/etc/ssl/private/example.com.key"
>  	domain full chain certificate "/etc/ssl/example.com.fullchain.pem"
> +	domain certificate "/etc/ssl/example.com.crt"
>  	# Test with the staging server to avoid aggressive rate-limiting.
>  	#sign with letsencrypt-staging
>  	sign with letsencrypt

You need the chain certificate as well, otherwise it will fail for
some clients.

Most gui browsers will work because they either can use a cached
intermediate from verifying some other cert, or because they go
off to the AIA URL in the cert to fetch it, but most other clients
don't so this.

https://incomplete-chain.badssl.com/