EN: Create Let’s Encrypt certificates manually
This was the week I’ve been waiting for. After my webspace was running on a old DOMAINbox system, Host Europe moved my existing webspace to a new platform to finish the integration of
the existing DOMAINbox customers. I had to
fix ehmm reconfigure my website to work again. While this I’ve get used to “KIS”. It’s Host Europes management portal. I found a option that will allow me to installl my own SSL certificate. Hell yeah I could buy a certificate from Host Europe but I’ve heard about Let’s Encrypt, where I can get certificates for free. I liked the idea behind this project and decided to test it.
Foundation of this project is the Certbot. Its a program which has implemented the ACME protocol to automate the creation of certificates. Certbot creates crypto files with crypto filecontent to make sure that you have access to server. The Let’s Encrypt system will check this files and creates the certificates.
In my basic webhosting package I have no shell access and cannot run Certbot. This is the reason why I need to invest a little more work. I installed Certbot on my MacOS Sierra. The additional steps in this setup are creating verification files by myself and install later the certificate on my webspace. I have not found a good tutorial how to do this and now you read one.
First of all I need to install Xcode on my Mac, if it is not already installed. You can download Xcode from Apples App Store (Click here). After installing Xcode you need to accept the license agreement. You can start the Xcode program or just use this little command in a terminal:
sudo xcodebuild -license accept
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
Now we can install Certbot with this command:
brew install certbot
Now the preparations are done. The needed software is on my Mac and we can start to create the certificates. You need to specify several parameters. One certificate can be used for several domains. With parameter “-d” I’ve added my domain with and without www in front. This and all following steps can be done on other platforms e.g. LInux, too.:
sudo certbot certonly --manual -d horstmann.in -d www.horstmann.in --manual-public-ip-logging-okPerforming the following challenges: http-01 challenge for horstmann.in http-01 challenge for www.horstmann.in -------------------------------------------------------------------------------
For each domain, I’ve added, the Certbot showed me an filename and filecontent we needed to create on our webserver to show that the system is under my control. I’ve created this files via FTP client:
Make sure your web server displays the following content at https://horstmann.in/.well-known/acme-challenge/Fzxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0 before continuing: FzfxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxUPress Enter to Continue
After this is done, we need to press “Enter”. We get this dialog for every domain added via “-d”. In the next step the files will be checked and if everything is checked Let’s Encrypt will generate our certificate.
Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/horstmann.in/fullchain.pem. Your cert will expire on 2017-04-28. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Now we can find our certificates in the folder /etc/letsencrypt . This folder is not accessable via normal user. I have copied and changed ownership of the files to my user to access this files. Here are my steps i’ve done:
sudo cp -r /etc/letsencrypt/ /Users/marco/Documents/sslcert cd /Users/marco/Documents/sslcert sudo chown marco *
OK, next step is to add my certificate in my webspace configuration. As a Host Europe customer I have an administration console called KIS. I selected to install the certificate to my domain. As certificate I used “live/horstmann.in/fullchain.pem”. As private key I used the file “live/horstmann.in/privkey.pem”. Password and CA are optional. I installed at the CA the intermediate certificate. I have done this only to be sure that it works. But it should work without it.