Can't upload Lets Encrypt certificate

[SviridoffA]

Hi! Please help me someone! I'm tryin to set up https acces to systemvm's. I have enabled all necessary options in global setings. I have registered lets encrypt certificate, and have 3 files:
cert1.pem
chain1.pem
privkey1.pem
So I'm trying to upload it by UI, Infrastructure - SSL certificates. But it's fails with "Failed to pass certificate validation check"
I'm pasting chain1 into Root certificate form (where is only one cert, so i decided its a root ca cert). And cert1 into server certificate form, privkey1 into private certificate form. But i'm unable to validate it. Maybe someone can tel me what i must to do, to prepare this certs for cloudstack. Any help appreciated.

[weizhouapache]

@SviridoffA
you can find the root CA at https://letsencrypt.org/certificates/

[SviridoffA]

Hi @weizhouapache ! Thanks for you fo you reply. I have already trying certs from this link. I have tryed using isrg-root-x1 for root certificate and E6 as intermidiate, but no luck for this time. I have tryed many combinations before create this disscusion, its allways no validation unfortunaly :(

[weizhouapache]

Hi @weizhouapache ! Thanks for you fo you reply. I have already trying certs from this link. I have tryed using isrg-root-x1 for root certificate and E6 as intermidiate, but no luck for this time. I have tryed many combinations before create this disscusion, its allways no validation unfortunaly :(

have you tried

• x1 as root ca
• chain1.pem as intermediate
• cert1.pem as server cert
• privkey1.pem as private key

[SviridoffA]

Yes, I have tried this. E6 it's exactly like my chain1.pem. I have tried another commercial certificate, and this certificate pass validation. But this certificate not wildcard. Lets encrypt certificate working fine on managment server, where is reverse proxy. And on another web server where is nginx.

[SviridoffA]

I have create another free certificate, by sslforweb service. This service use Lets Encrypt too. And this cert pass validation in cloudstack. Private key of this certificate longer than cert created by certbot. Looks like certbot with default setting, creates certificate not acceptable for Cloudstack. So we need to create cert with some argument like "--nginx" maybe. For now all works fine. Anyway, @weizhouapache thank you for you help!!

[weizhouapache]

I have create another free certificate, by sslforweb service. This service use Lets Encrypt too. And this cert pass validation in cloudstack. Private key of this certificate longer than cert created by certbot. Looks like certbot with default setting, creates certificate not acceptable for Cloudstack. So we need to create cert with some argument like "--nginx" maybe. For now all works fine. Anyway, @weizhouapache thank you for you help!!

thanks @SviridoffA for the sharing

closing

[kapsch-gtanya]

This is due to newer version of certbot use ECDSA algorithms. You can add the parameter --key-type rsa in your certbot command.

[SviridoffA]

Thanks for sharing. I decided not to figure out which parameter was needed since everything worked with a different certificate format. But I’m sure this is very useful information for the future.