Difference between revisions of "Let's Encrypt"

From MgmtWiki
Jump to: navigation, search
(After challenge is posted to net solutions.org=)
(Solutions)
 
(22 intermediate revisions by the same user not shown)
Line 3: Line 3:
  
 
==Context==
 
==Context==
The best way to get free certificates.
+
* The best way to get free certificates.
 +
* But these certificates are only good for 3 months
 +
* scripts are available for apache, etc. but not for ASP.NET as of 2020-02-15
 +
* In many ways the story of Let's Encrypt is similar to the story of Linux, its a bunch of geeks telling the rest of the world how to order itself. The result for Let's Encrypt is just as annoying as Linux. A product of the geeks, by the geeks and for the geeks.
  
 +
==Problems==
 +
Let’s Encrypt will no longer include the “TLS Client Authentication” Extended Key Usage (EKU) in our certificates beginning in 2026. Most users who use Let’s Encrypt to secure websites won’t be affected and won’t need to take any action.
 +
 +
However, if you use Let’s Encrypt certificates as client certificates to authenticate to a server, this change may impact you.
 
==Solutions==
 
==Solutions==
Store working files in /etc/letsencrypt
+
Certbot store working files in /etc/letsencrypt/live
 +
* Install certbot on Unbuntu like this
 +
sudo snap install --classic certbot
 +
certbot 1.19.0 from Certbot Project (certbot-eff✓) installed
 +
 
 
===Renewing Certificate looks like this===
 
===Renewing Certificate looks like this===
 
+
warning - cert must be renewed before expiry or the process of changing the TXT record start all over.
 
====After challenge is posted to net solutions.org====
 
====After challenge is posted to net solutions.org====
certbot certonly --manual -d 'trustregistry.org,*.trustregistry.org'
+
certbot certonly --manual -d 'trustregistry.us,*.trustregistry.us'
 +
certbot certonly --manual -d 'trustregistry.org,*.trustregistry.org'
  
 
  Saving debug log to /var/log/letsencrypt/letsencrypt.log   
 
  Saving debug log to /var/log/letsencrypt/letsencrypt.log   
Line 19: Line 31:
 
  dns-01 challenge for trustregistry.org
 
  dns-01 challenge for trustregistry.org
 
  http-01 challenge for trustregistry.org
 
  http-01 challenge for trustregistry.org
 +
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 +
NOTE: The IP of this machine will be publicly logged as having requested this
 +
certificate. If you're running certbot in manual mode on a machine that is not
 +
your server, please ensure you're okay with that.
  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
Are you OK with your IP being logged?
NOTE: The IP of this machine will be publicly logged as having requested this
+
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certificate. If you're running certbot in manual mode on a machine that is not
+
(Y)es/(N)o: yes
your server, please ensure you're okay with that.
 
 
 
Are you OK with your IP being logged?
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
(Y)es/(N)o: yes
 
  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
+
Please deploy a DNS TXT record under the name
_acme-challenge.trustregistry.org with the following value:
+
_acme-challenge.trustregistry.org with the following value:
 +
xNAB8ckvmjBV9uq_QhPfa8Xin40SCpoTQH8qphjyvpk
  
xNAB8ckvmjBV9uq_QhPfa8Xin40SCpoTQH8qphjyvpk
+
Before continuing, verify the record is deployed.
 
+
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Before continuing, verify the record is deployed.
+
Press Enter to Continue
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
+
Create a file containing just this data:
 
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
Create a file containing just this data:
 
  
 
VddIbg1TP9nhOxL7X8tJqJCYbFCEHeYS4Eol0hBZjPw.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs
 
VddIbg1TP9nhOxL7X8tJqJCYbFCEHeYS4Eol0hBZjPw.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs
Line 48: Line 57:
 
hOzKpYwAYlTex5pVMMnOFF9qVXk2ZUE7ovmceb5LivA.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs
 
hOzKpYwAYlTex5pVMMnOFF9qVXk2ZUE7ovmceb5LivA.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs
  
And make it available on your web server at this URL:
+
And make it available on your web server at this URL:
 +
http://trustregistry.org/.well-known/acme-challenge/VddIbg1TP9nhOxL7X8tJqJCYbFCEHeYS4Eol0hBZjPw
  
http://trustregistry.org/.well-known/acme-challenge/VddIbg1TP9nhOxL7X8tJqJCYbFCEHeYS4Eol0hBZjPw
+
(This must be set up in addition to the previous challenges; do not remove,
 
+
replace, or undo the previous challenge tasks yet.)
(This must be set up in addition to the previous challenges; do not remove,
+
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
replace, or undo the previous challenge tasks yet.)
+
Press Enter to Continue
 
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
Press Enter to Continue
 
  
 
http://trustregistry.org/.well-known/acme-challenge/hOzKpYwAYlTex5pVMMnOFF9qVXk2ZUE7ovmceb5LivA
 
http://trustregistry.org/.well-known/acme-challenge/hOzKpYwAYlTex5pVMMnOFF9qVXk2ZUE7ovmceb5LivA
  
====Now copy that value into file named TextDocument.txt===
+
====Now copy the challenge and response into file named TextDocument.txt====
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
  Press Enter to Continue
 
  Press Enter to Continue
Line 75: Line 82:
 
   again. To non-interactively renew *all* of your certificates, run
 
   again. To non-interactively renew *all* of your certificates, run
 
   "certbot renew"
 
   "certbot renew"
 +
<pre>
 +
root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# cat letschallenge.csv
 +
challenge,Response
 +
Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg
 +
root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# echo Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg
 +
Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg
 +
root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# echo Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg >> letschallenge.csv
 +
root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# cat letschallenge.csv
 +
challenge,Response
 +
Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg
 +
Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg
 +
</pre>
 +
 +
===Creating a pfx file===
 +
You can create a PFX file from the files provided by Let's Encrypt using OpenSSL.
 +
<pre>
 +
1. Locate Your Let's Encrypt Files
 +
Let's Encrypt typically provides:
 +
 +
fullchain.pem (certificate + intermediate certificates)
 +
 +
privkey.pem (private key)
 +
 +
2. Run OpenSSL Command
 +
Use the following command to generate a PFX file:
 +
 +
bash
 +
openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in fullchain.pem
 +
This will create certificate.pfx, which you can use in IIS or other applications.
 +
 +
3. Add a Password (Optional)
 +
If you need a password-protected PFX file, OpenSSL will prompt you to set one. You can also specify it directly:
 +
 +
bash
 +
openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in fullchain.pem -password pass:YourSecurePassword
 +
4. Verify the PFX File
 +
To check the contents of the PFX file:
 +
 +
bash
 +
openssl pkcs12 -info -in certificate.pfx
 +
</pre>
 +
===Creating a Certificate from Scratch===
 +
This also needs to be done if an existing certificate has been allowed to expire.
 +
*Dirty and quick solution if certificate is already expired is to set.
 +
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
 +
It disables SSL verification, at the expense of security of course.
 +
 +
===Prepare pfx file===
 +
 +
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out trorg.pfx
 +
 +
or
 +
 +
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out trus.pfx
 +
 +
===It Might be necessary to reboot the Computer===
 +
sudo shutdown -r
  
 
==References==
 
==References==
 +
<references />
 +
===More Material===
 +
* The wiki page [[Deploy .NET to Docker]] has more details about the use on Digital Ocean and other sites.
  
 
[[Category: Best Practice]]
 
[[Category: Best Practice]]

Latest revision as of 14:08, 14 May 2025

Full Title

Using Let's Encrypt to maintain TSL certificates on a web site.

Context

  • The best way to get free certificates.
  • But these certificates are only good for 3 months
  • scripts are available for apache, etc. but not for ASP.NET as of 2020-02-15
  • In many ways the story of Let's Encrypt is similar to the story of Linux, its a bunch of geeks telling the rest of the world how to order itself. The result for Let's Encrypt is just as annoying as Linux. A product of the geeks, by the geeks and for the geeks.

Problems

Let’s Encrypt will no longer include the “TLS Client Authentication” Extended Key Usage (EKU) in our certificates beginning in 2026. Most users who use Let’s Encrypt to secure websites won’t be affected and won’t need to take any action.

However, if you use Let’s Encrypt certificates as client certificates to authenticate to a server, this change may impact you.

Solutions

Certbot store working files in /etc/letsencrypt/live

  • Install certbot on Unbuntu like this
sudo snap install --classic certbot
certbot 1.19.0 from Certbot Project (certbot-eff✓) installed

Renewing Certificate looks like this

warning - cert must be renewed before expiry or the process of changing the TXT record start all over.

After challenge is posted to net solutions.org

certbot certonly --manual -d 'trustregistry.us,*.trustregistry.us'
certbot certonly --manual -d 'trustregistry.org,*.trustregistry.org'
Saving debug log to /var/log/letsencrypt/letsencrypt.log  
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for trustregistry.org
http-01 challenge for trustregistry.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: yes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.trustregistry.org with the following value:
xNAB8ckvmjBV9uq_QhPfa8Xin40SCpoTQH8qphjyvpk
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

VddIbg1TP9nhOxL7X8tJqJCYbFCEHeYS4Eol0hBZjPw.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs

paJRQpKlTkenmAWkqEQ3lYNw8O7_ZnwV3VC5Qg37tco.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs

hOzKpYwAYlTex5pVMMnOFF9qVXk2ZUE7ovmceb5LivA.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs

And make it available on your web server at this URL:
http://trustregistry.org/.well-known/acme-challenge/VddIbg1TP9nhOxL7X8tJqJCYbFCEHeYS4Eol0hBZjPw
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

http://trustregistry.org/.well-known/acme-challenge/hOzKpYwAYlTex5pVMMnOFF9qVXk2ZUE7ovmceb5LivA

Now copy the challenge and response into file named TextDocument.txt

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/trustregistry.org/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/trustregistry.org/privkey.pem
  Your cert will expire on 2021-06-10. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot
  again. To non-interactively renew *all* of your certificates, run
  "certbot renew"
root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# cat letschallenge.csv
challenge,Response
Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg
root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# echo Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg
Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg
root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# echo Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg >> letschallenge.csv
root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# cat letschallenge.csv
challenge,Response
Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg
Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg

Creating a pfx file

You can create a PFX file from the files provided by Let's Encrypt using OpenSSL.

1. Locate Your Let's Encrypt Files
Let's Encrypt typically provides:

fullchain.pem (certificate + intermediate certificates)

privkey.pem (private key)

2. Run OpenSSL Command
Use the following command to generate a PFX file:

bash
openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in fullchain.pem
This will create certificate.pfx, which you can use in IIS or other applications.

3. Add a Password (Optional)
If you need a password-protected PFX file, OpenSSL will prompt you to set one. You can also specify it directly:

bash
openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in fullchain.pem -password pass:YourSecurePassword
4. Verify the PFX File
To check the contents of the PFX file:

bash
openssl pkcs12 -info -in certificate.pfx

Creating a Certificate from Scratch

This also needs to be done if an existing certificate has been allowed to expire.

  • Dirty and quick solution if certificate is already expired is to set.
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

It disables SSL verification, at the expense of security of course.

Prepare pfx file

openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out trorg.pfx

or

openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out trus.pfx

It Might be necessary to reboot the Computer

sudo shutdown -r

References

More Material