Skip to main content

KHE

A Simple Method for Obtaining a Let's Encrypt SSL Certificate

Kenneth H. East [view page source]

I finally decided to update a few sites to use Let's Encrypt (LE) for SSL certificates. These are my notes about using a nuts-and-bolts / low-level method of doing this that doesn't involve automation.

At it's heart, Let's Encrypt uses the ACME protocol to verify domain ownership and certificate generation. LE lists many ACME client implementations here: https://letsencrypt.org/docs/client-options/. The LE site recommends using certbot (https://certbot.eff.org) for the task.

However, for me, there was a little too much magic going on -- at least for my initial use -- I wanted to understand exactly what was taking place. I wanted to find an approach that:

  • Did not require use of a web interface.
  • Did not hide any steps in the process.
  • Supported a form of domain ownership verification that did not require email (i.e., verification via possession of prior key, DNS, or HTTP, was supported).

I decided to use Google's tool, acme, which strangely isn't mentioned on the EFF site. You can get it here: https://github.com/google/acme. These are my notes about using Google's acme client.

Steps

The steps necessary to obtain and test a LE certificate manually can be performed on any machine on which acme and openssl are present.

  • Create a private certificate key for the user

    $ mkdir -p ~/.config/acme
$ openssl genrsa -out ~/.config/acme/account.key 2048

  • Register the user's account with LE

    $ acme reg -gen -accept mailto:you@youremaildomain.com

  • Generate a private key for your certificate (optional)

    By default, acme, will create a private certificate using the ECDSA algorithm, however, this format is not supported by the Amazon AWS API Gateway. Therefore, we'll take the extra step of creating a 2048 bit RSA key, which AWS does support. $CERTSDIR is an arbitrary directory in which you with to place the credentials.

    $ cd $CERTSDIR
$ openssl genrsa -out mydomain.com.key 2048

  • Request a new certificate for your domain

    $ cd $CERTSDIR
$ acme cert -k mydomain.com.key -dns=true mydomain.com

    This will prompt you to create a DNS TXT record for mydomain.com with a specified value. Create the record and wait for it to propagate. After propagation, press enter and the new LE issued certificate will be downloaded to mydomain.com.pem. A URL will also be provided from which it can be downloaded.

    mydomain.com.pem will contain both the private certificate for mydomain.com as well as the LE Intermediate Certificate. The site's certificate is the first entity in the file; the intermediate certificate is the second. I saved the certificates in mydomain.com.crt and intermediate.crt, respectively.

  • Verify the certificate

    Before installing the certificates, I wanted to ensure they were working.
    The following link had a useful tip on verification: http://stackoverflow.com/questions/19089644

    • Start an openssl SSL server for testing:

      $ openssl s_server -accept 8080 -www -cert mydomain.com.crt \
          -key mydomain.com.key -CAfile intermediate.crt

    • Start an openssl client:

      $ openssl s_client -connect localhost:8080 -showcerts \
          -CAfile intermediate.crt

    The client output will tell you if the certificates are valid or if there are problems.

Other

I did not conduct an exhaustive search, but I didn't find any Acme clients that support providing the existing private key as proof of ownership.