Let's Encrypt: mention that Pelican needs the full cert chain

matyasselmeci · matyasselmeci · commit 5255550fd5b8 · 2024-11-08T16:58:05.000-06:00
diff --git a/docs/security/host-certs/lets-encrypt.md b/docs/security/host-certs/lets-encrypt.md
@@ -36,7 +36,7 @@ Installation and Obtaining the Initial Certificate
 
         If using host certificates for Pelican/OSDF:
         :::console
-        root@host # ln -sf /etc/letsencrypt/live/*/cert.pem /etc/pki/tls/certs/pelican.crt
+        root@host # ln -sf /etc/letsencrypt/live/*/fullchain.pem /etc/pki/tls/certs/pelican.crt
         root@host # ln -sf /etc/letsencrypt/live/*/privkey.pem /etc/pki/tls/private/pelican.key
         root@host # chmod 0600 /etc/letsencrypt/archive/*/privkey*.pem
 
@@ -46,6 +46,10 @@ Installation and Obtaining the Initial Certificate
         root@host # ln -sf /etc/letsencrypt/live/*/privkey.pem /etc/grid-security/hostkey.pem
         root@host # chmod 0600 /etc/letsencrypt/archive/*/privkey*.pem
 
+
+    Note that Pelican requires the full certificate chain, not just the certificate,
+    so the pelican.crt symlink needs to point to fullchain.pem, not cert.pem.
+
 1. Restart services running on port 80 if there were any.
 
 
