Let's Encrypt

From MgmtWiki
Jump to: navigation, search

Full Title

Using Let's Encrypt to maintain TSL certificates on a web site.

Context

  • The best way to get free certificates.
  • But these certificates are only good for 3 months
  • scripts are available for apache, etc. but not for ASP.NET as of 2020-02-15
  • In many ways the story of Let's Encrypt is similar to the story of Linux, its a bunch of geeks telling the rest of the world how to order itself. The result for Let's Encrypt is just as annoying as Linux. A product of the geeks, by the geeks and for the geeks.

Problems

Let’s Encrypt will no longer include the “TLS Client Authentication” Extended Key Usage (EKU) in our certificates beginning in 2026. Most users who use Let’s Encrypt to secure websites won’t be affected and won’t need to take any action.

However, if you use Let’s Encrypt certificates as client certificates to authenticate to a server, this change may impact you.

Solutions

Certbot store working files in /etc/letsencrypt/live

  • Install certbot on Unbuntu like this
sudo snap install --classic certbot
certbot 1.19.0 from Certbot Project (certbot-eff✓) installed

Renewing Certificate looks like this

warning - cert must be renewed before expiry or the process of changing the TXT record start all over.

After challenge is posted to net solutions.org

certbot certonly --manual -d 'trustregistry.us,*.trustregistry.us'
certbot certonly --manual -d 'trustregistry.org,*.trustregistry.org'
Saving debug log to /var/log/letsencrypt/letsencrypt.log  
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for trustregistry.org
http-01 challenge for trustregistry.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: yes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.trustregistry.org with the following value:
xNAB8ckvmjBV9uq_QhPfa8Xin40SCpoTQH8qphjyvpk
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

VddIbg1TP9nhOxL7X8tJqJCYbFCEHeYS4Eol0hBZjPw.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs

paJRQpKlTkenmAWkqEQ3lYNw8O7_ZnwV3VC5Qg37tco.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs

hOzKpYwAYlTex5pVMMnOFF9qVXk2ZUE7ovmceb5LivA.R5Pdn5cwDU36dCaEUseg8k2-ykmZJIcv2F7ivAV_xgs

And make it available on your web server at this URL:
http://trustregistry.org/.well-known/acme-challenge/VddIbg1TP9nhOxL7X8tJqJCYbFCEHeYS4Eol0hBZjPw
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

http://trustregistry.org/.well-known/acme-challenge/hOzKpYwAYlTex5pVMMnOFF9qVXk2ZUE7ovmceb5LivA

Now copy the challenge and response into file named TextDocument.txt

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/trustregistry.org/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/trustregistry.org/privkey.pem
  Your cert will expire on 2021-06-10. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot
  again. To non-interactively renew *all* of your certificates, run
  "certbot renew"
root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# cat letschallenge.csv
challenge,Response
Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg
root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# echo Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg
Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg
root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# echo Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg >> letschallenge.csv
root@docker-s-1vcpu-1gb-sfo2-01:/home/app/TrustRegistry5/TrustRegistry/wwwroot# cat letschallenge.csv
challenge,Response
Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg
Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw,Zsaj-KZYcJK7rpgUA2X_9jYRijnktUj0HXG8zra6Iqw.L2f0KHXQiB90lHz5-2CW8aZ3YUxcla5Ts5HFQq4MzEg

Creating a pfx file

You can create a PFX file from the files provided by Let's Encrypt using OpenSSL.

1. Locate Your Let's Encrypt Files
Let's Encrypt typically provides:

fullchain.pem (certificate + intermediate certificates)

privkey.pem (private key)

2. Run OpenSSL Command
Use the following command to generate a PFX file:

bash
openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in fullchain.pem
This will create certificate.pfx, which you can use in IIS or other applications.

3. Add a Password (Optional)
If you need a password-protected PFX file, OpenSSL will prompt you to set one. You can also specify it directly:

bash
openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in fullchain.pem -password pass:YourSecurePassword
4. Verify the PFX File
To check the contents of the PFX file:

bash
openssl pkcs12 -info -in certificate.pfx

Creating a Certificate from Scratch

This also needs to be done if an existing certificate has been allowed to expire.

  • Dirty and quick solution if certificate is already expired is to set.
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

It disables SSL verification, at the expense of security of course.

Prepare pfx file

openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out trorg.pfx

or

openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out trus.pfx

It Might be necessary to reboot the Computer

sudo shutdown -r

References

More Material