I finally decided to update a few sites to use Let's Encrypt (LE) for SSL certificates. These are my notes about using a nuts-and-bolts / low-level method of doing this that doesn't involve automation.
At it's heart, Let's Encrypt uses the ACME protocol to verify
domain ownership and certificate generation. LE lists many ACME client
implementations here: https://letsencrypt.org/docs/client-options/. The LE
site recommends using
(https://certbot.eff.org) for the task.
However, for me, there was a little too much magic going on -- at least for my initial use -- I wanted to understand exactly what was taking place. I wanted to find an approach that:
- Did not require use of a web interface.
- Did not hide any steps in the process.
- Supported a form of domain ownership verification that did not require email (i.e., verification via possession of prior key, DNS, or HTTP, was supported).
I decided to use Google's tool,
acme, which strangely isn't mentioned on the EFF
site. You can get it here: https://github.com/google/acme. These are my
notes about using Google's
The steps necessary to obtain and test a LE certificate manually can be
performed on any machine on which
openssl are present.
Create a private certificate key for the user
$ mkdir -p ~/.config/acme $ openssl genrsa -out ~/.config/acme/account.key 2048
Register the user's account with LE
$ acme reg -gen -accept mailto:firstname.lastname@example.org
Generate a private key for your certificate (optional)
acme, will create a private certificate using the ECDSA algorithm, however, this format is not supported by the Amazon AWS API Gateway. Therefore, we'll take the extra step of creating a 2048 bit RSA key, which AWS does support.
$CERTSDIRis an arbitrary directory in which you with to place the credentials.
$ cd $CERTSDIR $ openssl genrsa -out mydomain.com.key 2048
Request a new certificate for your domain
$ cd $CERTSDIR $ acme cert -k mydomain.com.key -dns=true mydomain.com
This will prompt you to create a DNS TXT record for
mydomain.comwith a specified value. Create the record and wait for it to propagate. After propagation, press enter and the new LE issued certificate will be downloaded to
mydomain.com.pem. A URL will also be provided from which it can be downloaded.
mydomain.com.pemwill contain both the private certificate for
mydomain.comas well as the LE Intermediate Certificate. The site's certificate is the first entity in the file; the intermediate certificate is the second. I saved the certificates in
Verify the certificate
Before installing the certificates, I wanted to ensure they were working.
The following link had a useful tip on verification: http://stackoverflow.com/questions/19089644
Start an openssl SSL server for testing:
$ openssl s_server -accept 8080 -www -cert mydomain.com.crt \ -key mydomain.com.key -CAfile intermediate.crt
Start an openssl client:
$ openssl s_client -connect localhost:8080 -showcerts \ -CAfile intermediate.crt
The client output will tell you if the certificates are valid or if there are problems.
I did not conduct an exhaustive search, but I didn't find any Acme clients that support providing the existing private key as proof of ownership.