From c9d6b4d248c6432fe4ce3d90a42fed87d9840dda Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Wed, 29 Sep 2021 15:18:10 -0700 Subject: [PATCH] Use fullchain.cer on graphite for nginx Nginx doesn't seem to support explcit intermedate cert chains [0] and we need to supply all of the certs together in a single file. Thankfully acme.sh does this and calls it the fullchain.cer file. Use that in the nginx config for graphite to fix issues with ssl verification to this service. [0] http://nginx.org/en/docs/http/configuring_https_servers.html#chains Change-Id: I318fb92a30c1593c2a2e4cb37496b16f17472f1d --- playbooks/roles/graphite/templates/graphite-statsd.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/roles/graphite/templates/graphite-statsd.conf.j2 b/playbooks/roles/graphite/templates/graphite-statsd.conf.j2 index 585e62d84b..d68c4c38bf 100644 --- a/playbooks/roles/graphite/templates/graphite-statsd.conf.j2 +++ b/playbooks/roles/graphite/templates/graphite-statsd.conf.j2 @@ -11,7 +11,7 @@ server { listen [::]:443 ssl; server_name {{ inventory_hostname }}; - ssl_certificate /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.cer; + ssl_certificate /etc/letsencrypt-certs/{{ inventory_hostname }}/fullchain.cer; ssl_certificate_key /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key; root /opt/graphite/static; index index.html;