Let's Encrypt

From MgmtWiki
Jump to: navigation, search

Full Title

Using Let's Encrypt to maintain TSL certificates on a web site.

Context

  • The best way to get free certificates.
  • But these certificates are only good for 3 months
  • scripts are available for apache, etc. but now for ASP.NET as of 2020-02-15

Solutions

Certbot store working files in /etc/letsencrypt/live

Renewing Certificate looks like this

After challenge is posted to net solutions.org

certbot certonly --manual -d 'trustregistry.org,*.trustregistry.org' 

Saving debug log to /var/log/letsencrypt/letsencrypt.log  
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for trustregistry.org
http-01 challenge for trustregistry.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: yes

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.trustregistry.org with the following value:
xNAB8ckvmjBV9uq_QhPfa8Xin40SCpoTQH8qphjyvpk

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

VddIbg1TP9nhOxL7X8tJqJCYbFCEHeYS4Eol0hBZjPw.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs

paJRQpKlTkenmAWkqEQ3lYNw8O7_ZnwV3VC5Qg37tco.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs

hOzKpYwAYlTex5pVMMnOFF9qVXk2ZUE7ovmceb5LivA.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs 

And make it available on your web server at this URL:
http://trustregistry.org/.well-known/acme-challenge/VddIbg1TP9nhOxL7X8tJqJCYbFCEHeYS4Eol0hBZjPw

(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

http://trustregistry.org/.well-known/acme-challenge/hOzKpYwAYlTex5pVMMnOFF9qVXk2ZUE7ovmceb5LivA

Now copy that value into file named TextDocument.txt

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/trustregistry.org/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/trustregistry.org/privkey.pem
  Your cert will expire on 2021-06-10. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot
  again. To non-interactively renew *all* of your certificates, run
  "certbot renew"

Prepare pfx file

openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out trorg.pfx

References

Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=Let%27s_Encrypt&oldid=11193"