Difference between revisions of "Let's Encrypt"
From MgmtWiki
(→After challenge is posted to net solutions.org=) |
(→Solutions) |
||
| (22 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
==Context== | ==Context== | ||
| − | The best way to get free certificates. | + | * The best way to get free certificates. |
| + | * But these certificates are only good for 3 months | ||
| + | * scripts are available for apache, etc. but not for ASP.NET as of 2020-02-15 | ||
| + | * In many ways the story of Let's Encrypt is similar to the story of Linux, its a bunch of geeks telling the rest of the world how to order itself. The result for Let's Encrypt is just as annoying as Linux. A product of the geeks, by the geeks and for the geeks. | ||
| + | ==Problems== | ||
| + | Let’s Encrypt will no longer include the “TLS Client Authentication” Extended Key Usage (EKU) in our certificates beginning in 2026. Most users who use Let’s Encrypt to secure websites won’t be affected and won’t need to take any action. | ||
| + | |||
| + | However, if you use Let’s Encrypt certificates as client certificates to authenticate to a server, this change may impact you. | ||
==Solutions== | ==Solutions== | ||
| − | + | Certbot store working files in /etc/letsencrypt/live | |
| + | * Install certbot on Unbuntu like this | ||
| + | sudo snap install --classic certbot | ||
| + | certbot 1.19.0 from Certbot Project (certbot-eff✓) installed | ||
| + | |||
===Renewing Certificate looks like this=== | ===Renewing Certificate looks like this=== | ||
| − | + | warning - cert must be renewed before expiry or the process of changing the TXT record start all over. | |
====After challenge is posted to net solutions.org==== | ====After challenge is posted to net solutions.org==== | ||
| − | certbot certonly --manual -d 'trustregistry.org,*.trustregistry.org' | + | certbot certonly --manual -d 'trustregistry.us,*.trustregistry.us' |
| + | certbot certonly --manual -d 'trustregistry.org,*.trustregistry.org' | ||
Saving debug log to /var/log/letsencrypt/letsencrypt.log | Saving debug log to /var/log/letsencrypt/letsencrypt.log | ||
| Line 19: | Line 31: | ||
dns-01 challenge for trustregistry.org | dns-01 challenge for trustregistry.org | ||
http-01 challenge for trustregistry.org | http-01 challenge for trustregistry.org | ||
| + | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
| + | NOTE: The IP of this machine will be publicly logged as having requested this | ||
| + | certificate. If you're running certbot in manual mode on a machine that is not | ||
| + | your server, please ensure you're okay with that. | ||
| − | + | Are you OK with your IP being logged? | |
| − | + | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| − | + | (Y)es/(N)o: yes | |
| − | |||
| − | |||
| − | Are you OK with your IP being logged? | ||
| − | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
| − | (Y)es/(N)o: yes | ||
| − | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | + | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
| − | Please deploy a DNS TXT record under the name | + | Please deploy a DNS TXT record under the name |
| − | _acme-challenge.trustregistry.org with the following value: | + | _acme-challenge.trustregistry.org with the following value: |
| + | xNAB8ckvmjBV9uq_QhPfa8Xin40SCpoTQH8qphjyvpk | ||
| − | + | Before continuing, verify the record is deployed. | |
| − | + | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| − | Before continuing, verify the record is deployed. | + | Press Enter to Continue |
| − | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | + | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
| − | Press Enter to Continue | + | Create a file containing just this data: |
| − | |||
| − | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
| − | Create a file containing just this data: | ||
VddIbg1TP9nhOxL7X8tJqJCYbFCEHeYS4Eol0hBZjPw.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs | VddIbg1TP9nhOxL7X8tJqJCYbFCEHeYS4Eol0hBZjPw.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs | ||
| Line 48: | Line 57: | ||
hOzKpYwAYlTex5pVMMnOFF9qVXk2ZUE7ovmceb5LivA.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs | hOzKpYwAYlTex5pVMMnOFF9qVXk2ZUE7ovmceb5LivA.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs | ||
| − | And make it available on your web server at this URL: | + | And make it available on your web server at this URL: |
| + | http://trustregistry.org/.well-known/acme-challenge/VddIbg1TP9nhOxL7X8tJqJCYbFCEHeYS4Eol0hBZjPw | ||
| − | + | (This must be set up in addition to the previous challenges; do not remove, | |
| − | + | replace, or undo the previous challenge tasks yet.) | |
| − | (This must be set up in addition to the previous challenges; do not remove, | + | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
| − | replace, or undo the previous challenge tasks yet.) | + | Press Enter to Continue |
| − | |||
| − | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
| − | Press Enter to Continue | ||
http://trustregistry.org/.well-known/acme-challenge/hOzKpYwAYlTex5pVMMnOFF9qVXk2ZUE7ovmceb5LivA | http://trustregistry.org/.well-known/acme-challenge/hOzKpYwAYlTex5pVMMnOFF9qVXk2ZUE7ovmceb5LivA | ||
| − | ====Now copy | + | ====Now copy the challenge and response into file named TextDocument.txt==== |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
Press Enter to Continue | Press Enter to Continue | ||
| Line 75: | Line 82: | ||
again. To non-interactively renew *all* of your certificates, run | again. To non-interactively renew *all* of your certificates, run | ||
"certbot renew" | "certbot renew" | ||
| + | <pre> | ||
| + | root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# cat letschallenge.csv | ||
| + | challenge,Response | ||
| + | Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg | ||
| + | root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# echo Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg | ||
| + | Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg | ||
| + | root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# echo Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg >> letschallenge.csv | ||
| + | root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# cat letschallenge.csv | ||
| + | challenge,Response | ||
| + | Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg | ||
| + | Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg | ||
| + | </pre> | ||
| + | |||
| + | ===Creating a pfx file=== | ||
| + | You can create a PFX file from the files provided by Let's Encrypt using OpenSSL. | ||
| + | <pre> | ||
| + | 1. Locate Your Let's Encrypt Files | ||
| + | Let's Encrypt typically provides: | ||
| + | |||
| + | fullchain.pem (certificate + intermediate certificates) | ||
| + | |||
| + | privkey.pem (private key) | ||
| + | |||
| + | 2. Run OpenSSL Command | ||
| + | Use the following command to generate a PFX file: | ||
| + | |||
| + | bash | ||
| + | openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in fullchain.pem | ||
| + | This will create certificate.pfx, which you can use in IIS or other applications. | ||
| + | |||
| + | 3. Add a Password (Optional) | ||
| + | If you need a password-protected PFX file, OpenSSL will prompt you to set one. You can also specify it directly: | ||
| + | |||
| + | bash | ||
| + | openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in fullchain.pem -password pass:YourSecurePassword | ||
| + | 4. Verify the PFX File | ||
| + | To check the contents of the PFX file: | ||
| + | |||
| + | bash | ||
| + | openssl pkcs12 -info -in certificate.pfx | ||
| + | </pre> | ||
| + | ===Creating a Certificate from Scratch=== | ||
| + | This also needs to be done if an existing certificate has been allowed to expire. | ||
| + | *Dirty and quick solution if certificate is already expired is to set. | ||
| + | curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); | ||
| + | It disables SSL verification, at the expense of security of course. | ||
| + | |||
| + | ===Prepare pfx file=== | ||
| + | |||
| + | openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out trorg.pfx | ||
| + | |||
| + | or | ||
| + | |||
| + | openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out trus.pfx | ||
| + | |||
| + | ===It Might be necessary to reboot the Computer=== | ||
| + | sudo shutdown -r | ||
==References== | ==References== | ||
| + | <references /> | ||
| + | ===More Material=== | ||
| + | * The wiki page [[Deploy .NET to Docker]] has more details about the use on Digital Ocean and other sites. | ||
[[Category: Best Practice]] | [[Category: Best Practice]] | ||
Latest revision as of 14:08, 14 May 2025
Contents
Full Title
Using Let's Encrypt to maintain TSL certificates on a web site.
Context
- The best way to get free certificates.
- But these certificates are only good for 3 months
- scripts are available for apache, etc. but not for ASP.NET as of 2020-02-15
- In many ways the story of Let's Encrypt is similar to the story of Linux, its a bunch of geeks telling the rest of the world how to order itself. The result for Let's Encrypt is just as annoying as Linux. A product of the geeks, by the geeks and for the geeks.
Problems
Let’s Encrypt will no longer include the “TLS Client Authentication” Extended Key Usage (EKU) in our certificates beginning in 2026. Most users who use Let’s Encrypt to secure websites won’t be affected and won’t need to take any action.
However, if you use Let’s Encrypt certificates as client certificates to authenticate to a server, this change may impact you.
Solutions
Certbot store working files in /etc/letsencrypt/live
- Install certbot on Unbuntu like this
sudo snap install --classic certbot certbot 1.19.0 from Certbot Project (certbot-eff✓) installed
Renewing Certificate looks like this
warning - cert must be renewed before expiry or the process of changing the TXT record start all over.
After challenge is posted to net solutions.org
certbot certonly --manual -d 'trustregistry.us,*.trustregistry.us' certbot certonly --manual -d 'trustregistry.org,*.trustregistry.org'
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Cert is due for renewal, auto-renewing... Renewing an existing certificate Performing the following challenges: dns-01 challenge for trustregistry.org http-01 challenge for trustregistry.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that.
Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: yes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.trustregistry.org with the following value: xNAB8ckvmjBV9uq_QhPfa8Xin40SCpoTQH8qphjyvpk
Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Create a file containing just this data:
VddIbg1TP9nhOxL7X8tJqJCYbFCEHeYS4Eol0hBZjPw.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs
paJRQpKlTkenmAWkqEQ3lYNw8O7_ZnwV3VC5Qg37tco.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs
hOzKpYwAYlTex5pVMMnOFF9qVXk2ZUE7ovmceb5LivA.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs
And make it available on your web server at this URL: http://trustregistry.org/.well-known/acme-challenge/VddIbg1TP9nhOxL7X8tJqJCYbFCEHeYS4Eol0hBZjPw
(This must be set up in addition to the previous challenges; do not remove, replace, or undo the previous challenge tasks yet.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
http://trustregistry.org/.well-known/acme-challenge/hOzKpYwAYlTex5pVMMnOFF9qVXk2ZUE7ovmceb5LivA
Now copy the challenge and response into file named TextDocument.txt
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue Waiting for verification... Cleaning up challenges
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/trustregistry.org/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/trustregistry.org/privkey.pem Your cert will expire on 2021-06-10. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"
root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# cat letschallenge.csv challenge,Response Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# echo Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# echo Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg >> letschallenge.csv root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# cat letschallenge.csv challenge,Response Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg
Creating a pfx file
You can create a PFX file from the files provided by Let's Encrypt using OpenSSL.
1. Locate Your Let's Encrypt Files Let's Encrypt typically provides: fullchain.pem (certificate + intermediate certificates) privkey.pem (private key) 2. Run OpenSSL Command Use the following command to generate a PFX file: bash openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in fullchain.pem This will create certificate.pfx, which you can use in IIS or other applications. 3. Add a Password (Optional) If you need a password-protected PFX file, OpenSSL will prompt you to set one. You can also specify it directly: bash openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in fullchain.pem -password pass:YourSecurePassword 4. Verify the PFX File To check the contents of the PFX file: bash openssl pkcs12 -info -in certificate.pfx
Creating a Certificate from Scratch
This also needs to be done if an existing certificate has been allowed to expire.
- Dirty and quick solution if certificate is already expired is to set.
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
It disables SSL verification, at the expense of security of course.
Prepare pfx file
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out trorg.pfx
or
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out trus.pfx
It Might be necessary to reboot the Computer
sudo shutdown -r
References
More Material
- The wiki page Deploy .NET to Docker has more details about the use on Digital Ocean and other sites.
