keychain – macOS Server: Tips on how to take away self-signed root from web site SSL cert chain?

Apple

keychain – macOS Server: Tips on how to take away self-signed root from web site SSL cert chain?

Mojahid

December 5, 2024

macOS 10.13.6, Server.app 5.6.3

I am utilizing LetsEncrypt SSL certs. After updating a cert with certbot, I exploit openssl to export a PKCS12 file, then import that to the system keychain utilizing “safety” as follows:

# cd /and so on/letsencrypt/stay/www.brazoslink.internet
# openssl pkcs12 -export -inkey privkey.pem -in cert.pem -certfile fullchain.pem -out letsencrypt_sslcert.p12 -passout cross:(random passkey)
# safety import letsencrypt_sslcert.p12 -f pkcs12 -k /Library/Keychains/System.keychain -P (random passkey) -T /Purposes/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd

This all works, no errors, the up to date cert seems in Server Admin simply because it ought to, and any providers/web sites utilizing that cert are robotically up to date to make use of the up to date cert so I can delete the previous model. All good.

Nevertheless, the cert that will get created in /and so on/certificates incorporates the self-signed “ISRG Root X1” cert, which was not contained within the unique LE cert. Once I run the SSL cert checks at ssllabs.com, it complains, “Incorrect order, Further certs, Incorporates anchor” and offers me a “B” ranking.

Can anybody clarify what’s going on right here, and the way I can repair it?

LEAVE A REPLY Cancel reply