Hello Stuart !

Yes, you are right. I was long time not here (used another E - Mail
before) so I was not sure if it is really interesting.

tedu uses for honk relayd as TLS endpoint. If someone uses the default
/etc/examples/acme-client.conf with httpd only everything works fine. If
the certs are obtained using domain.fullchain.pem and the domain.key and
the paths are in the tls section of httpd.conf all is fine.

Relayd expects - if the tls keypair option - is used in relayd.conf a
.crt file (relayd -n or the try to start ends in errors refering to the
relay section of missing certs). So I added just the line in the
acme-client.conf to obtain a certificate file too. Basically things work
fine with this configuration but at some points I get a x509 error about
a self signed certificate. tedus doku is fine I just overlooked it. BTW
tls keypair did not require to link the IPs to which relayd listens to
the cert files (is as fallback defined in the man page).

As this .crt file contains only a part (0) of the cert chain I got the
error 21 as (1) from the cert chain is missing.

The solution is as tedu does, to name the fullchein certificate
domain.crt or, if used the default above acme-client.conf just copy
domain.fullchain.pem to domain.crt. This is only important for relayd
and tls keypair.

The try to local verify the cert chain still fails with the tried
command but I think it is just a thing of the used options. But

openssl s_client -showcerts -connect our.bio-planet.earth:443

now reports

Verify return code: 0 (ok) instead of 21 and all is fine as the whole
cert chain is transmitted.

Another day I will look at prosody ;-) and the cert thing.

Regards,

Christoph