Hi Ernie, > the required certificate seems to get created if you go to the vsite and > renew the Letsencrypt certificate. But it wasn't there previously. > > THe nginx_cert_ca_combined certificate must be something you have added more > recently. > > If I search the server for nginx_cert_ca_combined no sites have one. > So I am going through each site that runs Letsencrypt and renewing the > certificate to create the locate nginx_cert_ca_combined
This was actually added way back when 5209R got "Nginx as SSL-Proxy" functionality. 5210R had that from the start. Apache has three parameters for SSL certificates: - One for the key - One for the cert - One for the CA Certs Nginx and Postfix only have two parameters: - One for the key - One for the cert and whatever CA's that are required Our SSL management still created the three files separately. I extended that to also create a new file called "nginx_cert_ca_combined", which holds the Cert and the CA's. When Nginx is enabled, it'll use the same "key"-file that Apache uses and also the "nginx_cert_ca_combined". Postfix in the same way uses the "key" from the cert directory and the "nginx_cert_ca_combined" as well. Generally every cert request or LE renewal will create all four files in one go. You perhaps didn't have them yet, because you Easy-Migrated Vsites over to 5210R from either a 5207R/5208R, or from a 5209R that didn't have the Nginx related YUM updates installed after before any of these Cert files were generated first time around. That's actually I scenario I didn't think of, so it's good to know. I'll publish a small update so that this mechanism doesn't try to reference nginx_cert_ca_combined files that aren't present in first place. -- With best regards Michael Stauber _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
