Let's Encrypts fullchain.pem certificate in the API

mlnorth

In Openldap it seems that the fullchain.pem is required in olcTLSCertificateFile. However in the API I can't find that that type of certificate can be downloaded. I've tested with all the types in the API but it's only fullchain.pem that works.
Is it possible to implement so that that type of certificate can be downloaded in the API?

gregtwallace

The default certificate includes the chain:
https://www.certwarden.com/docs/using_certificates/api_calls/#get-certificate

Returns the pem formatted certificate, including its certificate chain.

mlnorth

gregtwallace
You are correct. It seems that the problem was in the olcTLSCACertificateFile. I used certchain.pem there but then it couldn't find the issuer certificate according to the error message below.

TLS certificate verification: Error, unable to get local issuer certificate
2025-01-09T07:06:45.657759058Z 677f7585.27329895 0x7f03de43e700 TLS: can't connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate).

I then used the ca-certificates.crt that I found in the system there instead and then it started to work. That file contains the necessary CA issuer certificate.

gregtwallace

Great! Let's Encrypt does not include the root cert in their chains. This seems to be common since the root cert is already on the client machine.

However, if you need it for some reason, Google's ACME CA seems to issue with the root cert in the chain (at least the last time I checked).