Fix the Certificate Chain (Recommended) You must ensure your web server provides the full chain (Leaf + Intermediate + Root). Concatenate Certificates: If you have a separate your_domain.crt and DigiCertCA.crt, you must combine them into a single file. Correct Order: Your Domain Certificate must come first, followed by the Intermediate(s).
cat navitrack_co_tz.key DigiCertCA.crt > navitrack_co_tz_fullchain.crt
Update Web Server(nginx) Configuration:
Nginx: Point ssl_certificate to the fullchain.crt.
server {
listen 443 ssl; # managed by Digicert
server_name repository.navitrack.co.tz;
ssl_certificate /etc/ssl/certs/navitrack_co_tz_fullchain.crt;
ssl_certificate_key /etc/ssl/certs/navitrack_co_tz.key;
access_log /var/log/nginx/dspace-access.log;
error_log /var/log/nginx/dspace-error.log;
Apache: Use SSLCertificateChainFile to point to the DigiCert intermediate file. Tomcat: Import the .p7b file provided by DigiCert, which includes the full chain, into your keystore.
- Update Node.js Trust Store Node.js uses its own hardcoded root certificates and may not include yours if it's new or private.
Set Extra CA: Point Node.js to your DigiCert bundle using the NODE_EXTRA_CA_CERTS environment variable.
export NODE_EXTRA_CA_CERTS="/etc/ssl/certs/navitrack_co_tz_fullchain.crt"
Check Node Version: DSpace 8 requires a modern Node.js version (typically 18 or 20). Older versions may have outdated root certificates.