Let's Encrypt: Get Certificate in Steps

    This article will describe a real way to obtain a certificate from Let's Encrypt in manual mode for further installation on a Windows (IIS / Microsoft Azure) or Linux (fully manual) web server. Due to the lack of an official Windows client, a Linux distribution will be used to generate the certificate .



    In the early days of the opening of applications for beta testing, it was decided to sign up and recently a letter arrived informing us that ACME will now generate a valid certificate for our domain.

    Next, we decided to publish an article with step-by-step instructions on the process, so that by the time you release you can quickly create and start using your certificate.

    How it works


    A full description of the process is available at this link .
    It is only important to know that in order to confirm domain ownership and successfully generate a certificate, you will need to have access to the DNS records or to the server where the A record refers, which is quite logical.

    The purpose of the Automated Certificate Management Environment (ACME) software suite (written in Python) is to automate the generation and installation of a certificate in a Linux environment.

    There is an unofficial open source Windows client that can generate and install certificates on Windows IIS and Amazon Web Services, but we had the task of obtaining the keys and installing them manually. I suggest anyone who wishes to write an article on working with him.

    Step by step process


    Attention: this instruction teaches you how to create a certificate in manual mode, there are simpler ways to automatically generate and renew certificates. I hope that they will be described on this resource soon.

    [11/01/17] New CertBot client

    A small update to the article in 2017.
    Now you can install CertBot and get the certificate manually.

    Brief instructions:

    1. Downloading the distribution

    wget https://dl.eff.org/certbot-auto

    package 2. Setting the rights to the file

    chmod a+x certbot-auto

    3. Launching to obtain a certificate in manual mode

    ./certbot-auto certonly --authenticator manual

    4. Follow the instructions of the program (for details, see the full instructions below from step No. 4).

    Detailed instructions (old client - still working)

    The official instructions were used .
    Linux users can use the text below as an example of generating a certificate in manual mode.

    1. Run your favorite Linux distribution (we used Debian 8).

    either 2. Install Git and run the commands below:

    git clone https://github.com/letsencrypt/letsencrypt
    cd letsencrypt

    or 2. Download and unzip this archive into a folder and go to this folder

    3. Run the installation and generation using which

    ./letsencrypt-auto --agree-dev-preview --server \https://acme-v01.api.letsencrypt.org/directory -a manual auth

    you will be prompted to enter an email for recovery in the future.
    The -a manual switch allows you to generate the keys manually without installing them automatically on the web server.

    4. Next, enter the domains for which you want to create certificates


    5.Confirm that your address is saved in Let's Encrypt


    6 logs . Confirm domain ownership


    In September 2016, there were minor changes in the procedure for obtaining a certificate. Thanks toxi_roman for the update.

    The old confirmation method with text / plain (not relevant as of October 2016)
    This is one of the crucial moments in manual registration mode.
    Please note: we are asked to create a response to the request that returns Content-Type text / plain .

    Such an answer will not work and confirmation will produce an error:


    It is necessary that this be so:



    If you have a server on Windows (with Razor Views support, similarly with MVC), then the easiest way to create the correct answer is:
    a) create the .well-known folder and the acme-challenge folder in it
    b) place the file [request] there. cshtml
    c) add to the contents of this file:
    @{Response.ContentType = "text/plain";Response.Charset = "";}здесь проверочный код

    7. After successful verification, the following certificates will be created in the / etc / letsencrypt / live / [domain name]

    folder : privkey.pem - private key for the certificate
    . Apache is used for SSLCertificateKeyFile and nginx for ssl_certificate_key.

    cert.pem (server certificate)
    Used by Apache for the SSLCertificateFile.

    chain.pem (chain certificate)
    It is used by Apache for SSLCertificateChainFile.

    fullchain.pem (connection of chain.pem and cert.pem)
    It is also used by nginx for ssl_certificate.

    7. Now it's time to convert it to the native Windows .pfx format.
    Go to the folder / etc / letsencrypt / live / [domain name] (open the terminal in administrator mode using the su command):

    cd /etc/letsencrypt/live/[имя домена]

    Launch OpenSSL with the command:

    openssl

    and start the conversion with the command:

    pkcs12 -inkey privkey.pem -in fullchain.pem -export -out mydomain.pfx

    you will be asked to enter a password and confirm it.



    7.2 Exit OpenSSL using the quit

    7.3 command. Copy the resulting file to our user directory
    cp --no-preserve=all mydomain.pfx /home/(имя пользователя)/Documents

    8.We received the mydomain.pfx certificate , which we can now use in the Windows environment.

    To renew a certificate manually:
    ./letsencrypt-auto certonly --renew-by-default -a manual

    It is important to know that Let's Encrypt certificates are valid for 90 days. It is recommended that they be updated every 60 days. The email that you specified for generation will receive notifications about the expiration of the certificate.

    I will be glad to hear your comments or suggestions for the article.

    Only registered users can participate in the survey. Please come in.

    Are you planning to use Let's Encrypt certificates in your projects?

    • 83.2% Yes 1089
    • 9.1% No, I am using an alternative certificate (StartSSL, CloudFlare Flexible SSL) 120
    • 4.8% No, I already have a paid certificate 64
    • 2.6% Another option 35

    Also popular now: