Difference between revisions of "Let's Encrypt"
From MgmtWiki
(→References) |
(→Creating a Certificate from Scratch) |
||
| (15 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
==Context== | ==Context== | ||
| − | The best way to get free certificates. | + | * The best way to get free certificates. |
| + | * But these certificates are only good for 3 months | ||
| + | * scripts are available for apache, etc. but not for ASP.NET as of 2020-02-15 | ||
| + | * In many ways the story of Let's Encrypt is similar to the story of Linux, its a bunch of geeks telling the rest of the world how to order itself. The result for Let's Encrypt is just as annoying as Linux. A product of the geeks, by the geeks and for the geeks. | ||
==Solutions== | ==Solutions== | ||
| − | + | Certbot store working files in /etc/letsencrypt/live | |
| + | * Install certbot on Unbuntu like this | ||
| + | sudo snap install --classic certbot | ||
| + | certbot 1.19.0 from Certbot Project (certbot-eff✓) installed | ||
| + | |||
===Renewing Certificate looks like this=== | ===Renewing Certificate looks like this=== | ||
| − | + | warning - cert must be renewed before expiry or the process of changing the TXT record start all over. | |
====After challenge is posted to net solutions.org==== | ====After challenge is posted to net solutions.org==== | ||
| − | certbot certonly --manual -d 'trustregistry.org,*.trustregistry.org' | + | certbot certonly --manual -d 'trustregistry.us,*.trustregistry.us' |
| + | certbot certonly --manual -d 'trustregistry.org,*.trustregistry.org' | ||
Saving debug log to /var/log/letsencrypt/letsencrypt.log | Saving debug log to /var/log/letsencrypt/letsencrypt.log | ||
| Line 19: | Line 27: | ||
dns-01 challenge for trustregistry.org | dns-01 challenge for trustregistry.org | ||
http-01 challenge for trustregistry.org | http-01 challenge for trustregistry.org | ||
| − | |||
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
NOTE: The IP of this machine will be publicly logged as having requested this | NOTE: The IP of this machine will be publicly logged as having requested this | ||
| Line 37: | Line 44: | ||
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
Press Enter to Continue | Press Enter to Continue | ||
| − | + | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| − | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | + | Create a file containing just this data: |
| − | Create a file containing just this data: | ||
VddIbg1TP9nhOxL7X8tJqJCYbFCEHeYS4Eol0hBZjPw.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs | VddIbg1TP9nhOxL7X8tJqJCYbFCEHeYS4Eol0hBZjPw.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs | ||
| Line 52: | Line 58: | ||
(This must be set up in addition to the previous challenges; do not remove, | (This must be set up in addition to the previous challenges; do not remove, | ||
replace, or undo the previous challenge tasks yet.) | replace, or undo the previous challenge tasks yet.) | ||
| − | + | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| − | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | + | Press Enter to Continue |
| − | Press Enter to Continue | ||
http://trustregistry.org/.well-known/acme-challenge/hOzKpYwAYlTex5pVMMnOFF9qVXk2ZUE7ovmceb5LivA | http://trustregistry.org/.well-known/acme-challenge/hOzKpYwAYlTex5pVMMnOFF9qVXk2ZUE7ovmceb5LivA | ||
| − | ====Now copy | + | ====Now copy the challenge and response into file named TextDocument.txt==== |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
Press Enter to Continue | Press Enter to Continue | ||
| Line 73: | Line 78: | ||
again. To non-interactively renew *all* of your certificates, run | again. To non-interactively renew *all* of your certificates, run | ||
"certbot renew" | "certbot renew" | ||
| + | <pre> | ||
| + | root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# cat letschallenge.csv | ||
| + | challenge,Response | ||
| + | Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg | ||
| + | root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# echo Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg | ||
| + | Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg | ||
| + | root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# echo Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg >> letschallenge.csv | ||
| + | root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# cat letschallenge.csv | ||
| + | challenge,Response | ||
| + | Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg | ||
| + | Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg | ||
| + | </pre> | ||
| + | |||
| + | ===Creating a Certificate from Scratch=== | ||
| + | This also needs to be done if an existing certificate has been allowed to expire. | ||
| + | *Dirty and quick solution if certificate is already expired is to set. | ||
| + | curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); | ||
| + | It disables SSL verification, at the expense of security of course. | ||
| + | |||
| + | ===Prepare pfx file=== | ||
| + | |||
| + | openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out trorg.pfx | ||
| + | |||
| + | or | ||
| − | + | openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out trus.pfx | |
| + | ===It Might be necessary to reboot the Computer=== | ||
| + | sudo shutdown -r | ||
==References== | ==References== | ||
| + | <references /> | ||
| + | ===More Material=== | ||
| + | * The wiki page [[Deploy .NET to Docker]] has more details about the use on Digital Ocean and other sites. | ||
[[Category: Best Practice]] | [[Category: Best Practice]] | ||
Latest revision as of 13:24, 1 January 2022
Contents
Full Title
Using Let's Encrypt to maintain TSL certificates on a web site.
Context
- The best way to get free certificates.
- But these certificates are only good for 3 months
- scripts are available for apache, etc. but not for ASP.NET as of 2020-02-15
- In many ways the story of Let's Encrypt is similar to the story of Linux, its a bunch of geeks telling the rest of the world how to order itself. The result for Let's Encrypt is just as annoying as Linux. A product of the geeks, by the geeks and for the geeks.
Solutions
Certbot store working files in /etc/letsencrypt/live
- Install certbot on Unbuntu like this
sudo snap install --classic certbot certbot 1.19.0 from Certbot Project (certbot-eff✓) installed
Renewing Certificate looks like this
warning - cert must be renewed before expiry or the process of changing the TXT record start all over.
After challenge is posted to net solutions.org
certbot certonly --manual -d 'trustregistry.us,*.trustregistry.us' certbot certonly --manual -d 'trustregistry.org,*.trustregistry.org'
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Cert is due for renewal, auto-renewing... Renewing an existing certificate Performing the following challenges: dns-01 challenge for trustregistry.org http-01 challenge for trustregistry.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that.
Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: yes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.trustregistry.org with the following value: xNAB8ckvmjBV9uq_QhPfa8Xin40SCpoTQH8qphjyvpk
Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Create a file containing just this data:
VddIbg1TP9nhOxL7X8tJqJCYbFCEHeYS4Eol0hBZjPw.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs
paJRQpKlTkenmAWkqEQ3lYNw8O7_ZnwV3VC5Qg37tco.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs
hOzKpYwAYlTex5pVMMnOFF9qVXk2ZUE7ovmceb5LivA.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs
And make it available on your web server at this URL: http://trustregistry.org/.well-known/acme-challenge/VddIbg1TP9nhOxL7X8tJqJCYbFCEHeYS4Eol0hBZjPw
(This must be set up in addition to the previous challenges; do not remove, replace, or undo the previous challenge tasks yet.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
http://trustregistry.org/.well-known/acme-challenge/hOzKpYwAYlTex5pVMMnOFF9qVXk2ZUE7ovmceb5LivA
Now copy the challenge and response into file named TextDocument.txt
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue Waiting for verification... Cleaning up challenges
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/trustregistry.org/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/trustregistry.org/privkey.pem Your cert will expire on 2021-06-10. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"
root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# cat letschallenge.csv challenge,Response Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# echo Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# echo Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg >> letschallenge.csv root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# cat letschallenge.csv challenge,Response Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg
Creating a Certificate from Scratch
This also needs to be done if an existing certificate has been allowed to expire.
- Dirty and quick solution if certificate is already expired is to set.
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
It disables SSL verification, at the expense of security of course.
Prepare pfx file
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out trorg.pfx
or
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out trus.pfx
It Might be necessary to reboot the Computer
sudo shutdown -r
References
More Material
- The wiki page Deploy .NET to Docker has more details about the use on Digital Ocean and other sites.
