diff --git a/docs/using.rst b/docs/using.rst index 4604fd78f..d18d118cf 100644 --- a/docs/using.rst +++ b/docs/using.rst @@ -587,43 +587,41 @@ The following files are available: This is what Apache needs for `SSLCertificateKeyFile `_, - and nginx for `ssl_certificate_key + and Nginx for `ssl_certificate_key `_. -``cert.pem`` - Server certificate only. - - This is what Apache < 2.4.8 needs for `SSLCertificateFile - `_. - -``chain.pem`` - All certificates that need to be served by the browser **excluding** - server certificate, i.e. root and intermediate certificates only. - - This is what Apache < 2.4.8 needs for `SSLCertificateChainFile - `_, - and what nginx >= 1.3.7 needs for `ssl_trusted_certificate - `_. - ``fullchain.pem`` - All certificates, **including** server certificate. This is - concatenation of ``cert.pem`` and ``chain.pem``. + All certificates, **including** server certificate (aka leaf certificate or + end-entity certificate). The server certificate is the first one in this file, + followed by any intermediates. This is what Apache >= 2.4.8 needs for `SSLCertificateFile `_, - and what nginx needs for `ssl_certificate + and what Nginx needs for `ssl_certificate `_. +``cert.pem`` and ``chain.pem`` (less common) + ``cert.pem`` contains the server certificate by itself, and + ``chain.pem`` contains the additional intermediate certificate or + certificates that web browsers will need in order to validate the + server certificate. If you provide one of these files to your web + server, you **must** provide both of them, or some browsers will show + "This Connection is Untrusted" errors for your site, `some of the time + `_. -For both chain files, all certificates are ordered from root (primary -certificate) towards leaf. + Apache < 2.4.8 needs these for `SSLCertificateFile + `_. + and `SSLCertificateChainFile + `_, + respectively. -Please note, that **you must use** either ``chain.pem`` or -``fullchain.pem``. In case of webservers, using only ``cert.pem``, -will cause nasty errors served through the browsers! + If you're using OCSP stapling with Nginx >= 1.3.7, ``chain.pem`` should be + provided as the `ssl_trusted_certificate + `_ + to validate OCSP responses. -.. note:: All files are PEM-encoded (as the filename suffix - suggests). If you need other format, such as DER or PFX, then you +.. note:: All files are PEM-encoded. + If you need other format, such as DER or PFX, then you could convert using ``openssl``. You can automate that with ``--renew-hook`` if you're using automatic renewal_. @@ -653,14 +651,15 @@ By default, the following locations are searched: Getting help ============ -If you're having problems you can chat with us on `IRC (#certbot @ -OFTC) `_ or at -`IRC (#letsencrypt @ freenode) `_ -or get support on the Let's Encrypt `forums `_. +If you're having problems, we recommend posting on the Let's Encrypt +`Community Forum `_. + +You can also chat with us on IRC: `(#certbot @ +OFTC) `_ or +`(#letsencrypt @ freenode) `_. If you find a bug in the software, please do report it in our `issue -tracker -`_. Remember to +tracker `_. Remember to give us as much information as possible: - copy and paste exact command line used and the output (though mind