Solved CERTBOT: fullchain.pem vs privkey.pem

[banderas20]

Hi!

I have used CERTBOT and successfully get the SSL certificates.

However, I don't understand the purpose and difference between these 2 files:

/etc/letsencrypt/live/domain.com/fullchain.pem
/etc/letsencrypt/live/domain.com/privkey.pem

What does each one do?

Thanks!

 

[dos2unix]

One is your local server privateKey.pem
The other is your pemKey to talk to the upstream Authenication/Validation servers that are "sponsoring" ( verifying ) your cert.

 

[vs2-free-users]

Hi,

as dos2unix said:
/etc/letsencrypt/live/domain.com/privkey.pem
is your private key NEVER!!! share this file to the internet.

/etc/letsencrypt/live/domain.com/fullchain.pem
is your public information this must be shared to the internet.

With apache as example you use both files but apache does not provide
/etc/letsencrypt/live/domain.com/privkey.pem

to the internet it uses this key only for decryption.

 

[banderas20]

Hi!

Thanks for the reply. I have added the corresponding files to the directives:

SSLEngine on
SSLCertificateChainFile  /etc/letsencrypt/live/domain.com/fullchain.pem
SSLCertificateKeyFile    /etc/letsencrypt/live/domain.com/privkey.pem
SSLCertificateFile       /etc/letsencrypt/live/domain.com/cert.pem

However, if I access https://myhomeIP, I still get a security warning from the browser, even if it says "Verified by Let's Encryp".

I I go to the Apache2 logs, it says:

Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this

¿Where is my error and how can I make the website fully trusted?

Thanks!

 

[banderas20]

Found the error. The certificate was issued to a domain. Hence the access by IP gave that warning.

Thanks!