Intermediate certificate for acme-tiny

As mentioned in the article regarding acme-tiny you need to create a script to renew your Let’s Encrypt certificate regularly. In this script you download the intermediate certificate of Let’s Encrypt which was used to generate the certificate for your domain. Only if you include the intermediate certificate in your web server configuration the browser can get the complete chain. If you do not offer the intermediate certificate your rating at SSL Labs drops to “B”.

SSL Labs rating if intermediate certificate is missing

The intermediate certificate of Let’s Encrypt changed. Because of this the download URL in the README of acme-tiny on Github was updated.

To prevent an update of your script if this URL changes in the future you can also get it from the certificate for your domain. Your script could be similar to this:

1
2
3
4
5
6
7
#!/bin/bash
python /path/to/acme_tiny.py --account-key /path/to/account.key --csr /path/to/domain.csr --acme-dir /var/www/challenges/ > /tmp/signed.crt || exit
URL=`openssl x509 -in signed.crt -text -noout | grep "CA Issuers - URI:" | cut -d":" -f2,3`
wget -O - $URL > /tmp/intermediate.der
openssl x509 -in /tmp/intermediate.der -inform der -outform pem -out /tmp/intermediate.pem
cat /tmp/signed.crt /tmp/intermediate.pem > /path/to/chained.pem
service nginx reload

Line 3 identifies the URL for the intermediate certificate. The download of this URL is done in line 4. To convert the format of the intermediate certificate the command in line 5 is used. Line 6 combines the intermediate certificate and the certificate for your domain to one file (might not be needed depending on your configuration and web server).