There is no reason to concatenate the Root CA certificate to your certificate chain, as the client is supposed to already know and trust this root. If it doesn't know it, it has nothing else to chain up to anyway.Usually, I get my certificate using:and after concatenating it to my chain.pem and running:Code:
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
Your chain should only contain your leaf certificate and any intermediate(s) chaining up to a trusted root, not the root itself.
(A cross-signed root may be an exception, but that's really just another intermediate, signed by an older root trusted by the client.)
Statistics: Posted by ghen — Thu Feb 06, 2025 9:57 am