Fails when renewing self-signed cert

[hryamzik]

I create a self-signed cert to let nginx start:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out fullchain.pem -days 365 -nodes -subj "/CN=example.com"

simp_le fails with the following message:

Not enough PEM encoded messages were found in fullchain.pem; at least 2 were expected, found 1.

[buchdag]

Hi.

simp_le was never ever designed to work with self signed cert.

[hryamzik]

just ignore it if it's not valid. I can't start web server without a cert, I can't issue a cert without a web server.

[zenhack]

I can't imagine a self signed cert would actually work for bootstrapping anyway -- I would expect the ACME server to complain and refuse to connect.

[hryamzik]

It doesn't care. I've used this approach since letsencrypt was introduced.

As a workaround I've added rm -v fullchain.pem before first simp_le run and everything worked as expected.

[zenhack]

I suppose I don't have an objection to simp_le just issuing a warning in this case. I'd be willing to accept a patch that changed the behavior.

[buchdag]

I think the issue here might be that simp_le expects the certificate and the intermediate in fullchain.pem (the two PEM encoded messages it alludes to).

It doesn't care.

I confirm that, ACME does not validate certificates to avoid being locked with an expired one that can't be renewed.

[buchdag]

@hryamzik could you try replacing -out fullchain.pem with -out cert.pem in your openssl command ?

[hryamzik]

it's just the filename. And if I point nginx to cert.pem it won't get a full chain. when letsencrypt cert is generated.