Developers Club geek daily blog

2 years ago
In this article the real method of receipt of the certificate from Let's Encrypt in the manual mode for its further installation on the Windows Web server (IIS/Microsoft Azure) or Linux (completely manual mode) will be described. Because of the absence of the official client under Windows for generation of the certificate the Linux distribution kit will be used.

image

Background: from the very beginning for the website of our Moscow company (according to the link the test beta certificate of Let's Encrypt is already set) the "simple" SSL certificate was necessary for confirmation of the domain and data encryption.

In the first opening days of requests for beta testing the decision to register was also made and recently the letter which reports that now the ACME program will generate the valid certificate for our domain came:

Let's Encrypt: receipt of the certificate on steps

Further we decided to publish article with the step-by-step instruction of process that by the time of release you could already quickly create and begin to use the certificate.

As it works


The complete description of process is available according to this link.
It is only important to know that for confirmation of ownership of the domain and successful generation of the certificate it will be necessary to have access to the records DNS or to the server where A-record refers that is quite logical.

Sense of the program Automated Certificate Management Environment (ACME) set (it is written on Python) in automating generation and installation of the certificate in a Linux-environment.

There is unofficial Windows client with open source codes which can generate and set certificates on the Windows IIS and Amazon Web Services, but we had a task to receive keys and to set them manually. I suggest anyone to write article on work with it.

Process on steps


The official instruction was used.
Users of Linux can use the text below as an example of generation of the certificate in the manual mode.

1. Start your favourite Linux distribution kit (we used Debian 8).

or 2. Set Git and execute commands below:

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

or 2. Download and unpack this archive in the folder and pass into this folder

3. Start installation and generation with the help

./letsencrypt-auto --agree-dev-preview --server \https://acme-v01.api.letsencrypt.org/directory -a manual auth

It will be offered to you to enter e-mail for recovery in the future.
The key - a manual will allow to generate keys in the manual mode without their automatic installation on the Web server.

4. Further enter domains for which you want to create certificates
Let's Encrypt: receipt of the certificate on steps

5. Confirm saving of your address in Let's Encrypt logs
Let's Encrypt: receipt of the certificate on steps

6. Confirm possession of the domain
Let's Encrypt: receipt of the certificate on steps

It is one of the responsible moments in the mode of manual registration.
Pay attention: we are asked to create a reply to the request which returns Content-Type text/plain.

Such answer will not pass and confirmation will give an error message:
Let's Encrypt: receipt of the certificate on steps

It is necessary that was so:
Let's Encrypt: receipt of the certificate on steps

If you have a server on Windows (with support of Razor Views, similarly and with MVC), then the easiest way of creation of the correct answer:
a) to create the .well-known folder and in it the acme-challenge folder
b) to place there the file [request] .cshtml
c) to add to contents of this file:
@{Response.ContentType = "text/plain";Response.Charset = "";}здесь проверочный код

7. After successful check, the following certificates in folder/etc/letsencrypt/live / will be created [a domain name]:

privkey.pem — a private key for the certificate
Apache for SSLCertificateKeyFile and nginx for ssl_certificate_key is used.

cert.pem (certificate of the server)
Apache for SSLCertificateFile is used.

chain.pem (certificate of a chain)
It is used by Apache for SSLCertificateChainFile.

fullchain.pem (chain.pem and cert.pem connection)
It is used by nginx for ssl_certificate.

7. Copy them on Windows machine.

8. Now time to convert them in native .pfx a format came.
For this purpose we will set OpenSSL, we will unpack it, we will add our keys to the same folder and we will start on behalf of the administrator:

pkcs12 -inkey privkey.pem -in fullchain.pem -export -out mydomain.pfx

Let's Encrypt: receipt of the certificate on steps

9. We received the certificate of mydomain.pfx which we can use in Windows environment.

It is important to know that certificates of Let's Encrypt are valid 90 days. It is recommended to update them each 60 days. Notifications on the expiration of the certificate will come to e-mail which you specified for generation.

I will be glad to hear your notes or wishes to article.
Whether you are going to use certificates from Let's Encrypt in the projects

95 people voted. 8 people refrained.

The users only registered can participate in poll. Enter, please.


This article is a translation of the original post at habrahabr.ru/post/270273/
If you have any questions regarding the material covered in the article above, please, contact the original author of the post.
If you have any complaints about this article or you want this article to be deleted, please, drop an email here: sysmagazine.com@gmail.com.

We believe that the knowledge, which is available at the most popular Russian IT blog habrahabr.ru, should be accessed by everyone, even though it is poorly translated.
Shared knowledge makes the world better.
Best wishes.

comments powered by Disqus