Let's Encrypt
From MgmtWiki
Contents
Full Title
Using Let's Encrypt to maintain TSL certificates on a web site.
Context
- The best way to get free certificates.
- But these certificates are only good for 3 months
- scripts are available for apache, etc. but not for ASP.NET as of 2020-02-15
- In many ways the story of Let's Encrypt is similar to the story of Linux, its a bunch of geeks telling the rest of the world how to order itself. The result for Let's Encrypt is just as annoying as Linux. A product of the geeks, by the geeks and for the geeks.
Solutions
Certbot store working files in /etc/letsencrypt/live
- Install certbot on Unbuntu like this
sudo snap install --classic certbot certbot 1.19.0 from Certbot Project (certbot-eff✓) installed
Renewing Certificate looks like this
warning - cert must be renewed before expiry or the process of changing the TXT record start all over.
After challenge is posted to net solutions.org
certbot certonly --manual -d 'trustregistry.us,*.trustregistry.us' certbot certonly --manual -d 'trustregistry.org,*.trustregistry.org'
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Cert is due for renewal, auto-renewing... Renewing an existing certificate Performing the following challenges: dns-01 challenge for trustregistry.org http-01 challenge for trustregistry.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that.
Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: yes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.trustregistry.org with the following value: xNAB8ckvmjBV9uq_QhPfa8Xin40SCpoTQH8qphjyvpk
Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Create a file containing just this data:
VddIbg1TP9nhOxL7X8tJqJCYbFCEHeYS4Eol0hBZjPw.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs
paJRQpKlTkenmAWkqEQ3lYNw8O7_ZnwV3VC5Qg37tco.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs
hOzKpYwAYlTex5pVMMnOFF9qVXk2ZUE7ovmceb5LivA.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs
And make it available on your web server at this URL: http://trustregistry.org/.well-known/acme-challenge/VddIbg1TP9nhOxL7X8tJqJCYbFCEHeYS4Eol0hBZjPw
(This must be set up in addition to the previous challenges; do not remove, replace, or undo the previous challenge tasks yet.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
http://trustregistry.org/.well-known/acme-challenge/hOzKpYwAYlTex5pVMMnOFF9qVXk2ZUE7ovmceb5LivA
Now copy the challenge and response into file named TextDocument.txt
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue Waiting for verification... Cleaning up challenges
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/trustregistry.org/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/trustregistry.org/privkey.pem Your cert will expire on 2021-06-10. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"
root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# cat letschallenge.csv challenge,Response Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# echo Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# echo Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg >> letschallenge.csv root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# cat letschallenge.csv challenge,Response Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg
Creating a Certificate from Scratch
This also needs to be done if an existing certificate has been allowed to expire.
- Dirty and quick solution if certificate is already expired is to set.
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
It disables SSL verification, at the expense of security of course.
Prepare pfx file
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out trorg.pfx
or
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out trus.pfx
It Might be necessary to reboot the Computer
sudo shutdown -r
References
More Material
- The wiki page Deploy .NET to Docker has more details about the use on Digital Ocean and other sites.
