From f2c29f2d2588b1dfd5013bf478a7261d073ed2cd Mon Sep 17 00:00:00 2001 From: PE1NUT <47217436+PE1NUT@users.noreply.github.com> Date: Wed, 30 Sep 2020 18:16:13 +0200 Subject: [PATCH] Clarification on the use of certificate chains (#12986) * Clarification on the use of certificate chains * As per @bagasme Co-authored-by: Bagas Sanjaya Co-authored-by: zeripath Co-authored-by: Bagas Sanjaya Co-authored-by: techknowlogick --- docs/content/doc/advanced/config-cheat-sheet.en-us.md | 2 +- docs/content/doc/usage/https-support.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index c09001c5ee..29e260edad 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -212,7 +212,7 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`. - `SSH_LISTEN_PORT`: **%(SSH\_PORT)s**: Port for the built-in SSH server. - `OFFLINE_MODE`: **false**: Disables use of CDN for static files and Gravatar for profile pictures. - `DISABLE_ROUTER_LOG`: **false**: Mute printing of the router log. -- `CERT_FILE`: **https/cert.pem**: Cert file path used for HTTPS. From 1.11 paths are relative to `CUSTOM_PATH`. +- `CERT_FILE`: **https/cert.pem**: Cert file path used for HTTPS. When chaining, the server certificate must come first, then intermediate CA certificates (if any). From 1.11 paths are relative to `CUSTOM_PATH`. - `KEY_FILE`: **https/key.pem**: Key file path used for HTTPS. From 1.11 paths are relative to `CUSTOM_PATH`. - `STATIC_ROOT_PATH`: **./**: Upper level of template and static files path. - `STATIC_CACHE_TIME`: **6h**: Web browser cache time for static resources on `custom/`, `public/` and all uploaded avatars. diff --git a/docs/content/doc/usage/https-support.md b/docs/content/doc/usage/https-support.md index a94372ff1f..dfafa21c5c 100644 --- a/docs/content/doc/usage/https-support.md +++ b/docs/content/doc/usage/https-support.md @@ -32,7 +32,7 @@ HTTP_PORT = 3000 CERT_FILE = cert.pem KEY_FILE = key.pem ``` - +Note that if your certificate is signed by a third party certificate authority (i.e. not self-signed), then cert.pem should contain the certificate chain. The server certificate must be the first entry in cert.pem, followed by the intermediaries in order (if any). The root certificate does not have to be included because the connecting client must already have it in order to estalbish the trust relationship. To learn more about the config values, please checkout the [Config Cheat Sheet](../config-cheat-sheet#server). ### Setting up HTTP redirection