Create Let’s Encrypt certificates manually

This was the week I’ve been waiting for. After my webspace was running on a old DOMAINbox system, Host Europe moved my existing webspace to a new platform to finish the integration of
the existing DOMAINbox customers. I had to fix ehmm reconfigure my website to work again. While this I’ve get used to “KIS”. It’s Host Europes management portal. I found a option that will allow me to installl my own SSL certificate. Hell yeah I could buy a certificate from Host Europe but I’ve heard about Let’s Encrypt, where I can get certificates for free. I liked the idea behind this project and decided to test it.

Foundation of this project is the Certbot. Its a program which has implemented the ACME protocol to automate the creation of certificates. Certbot creates crypto files with crypto filecontent to make sure that you have access to server. The Let’s Encrypt system will check this files and creates the certificates.

In my basic webhosting package I have no shell access and cannot run Certbot. This is the reason why I need to invest a little more work. I installed Certbot on my MacOS Sierra. The additional steps in this setup are creating verification files by myself and install later the certificate on my webspace. I have not found a good tutorial how to do this and now you read one.

First of all I need to install Xcode on my Mac, if it is not already installed. You can download Xcode from Apples App Store (Click here). After installing Xcode you need to accept the license agreement. You can start the Xcode program or just use this little command in a terminal:

sudo xcodebuild -license accept

Certbot for MacOS was packaged via Homebrew. In this step wie will install Homebrew. This can be done via this command:

/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Now we can install Certbot with this command:

brew install certbot

Now the preparations are done. The needed software is on my Mac and we can start to create the certificates. You need to specify several parameters. One certificate can be used for several domains. With parameter “-d” I’ve added my domain with and without www in front. This and all following steps can be done on other platforms e.g. LInux, too.:

sudo certbot certonly --manual -d horstmann.in -d www.horstmann.in --manual-public-ip-logging-ok

Performing the following challenges:
 http-01 challenge for horstmann.in
 http-01 challenge for www.horstmann.in
 -------------------------------------------------------------------------------

For each domain, I’ve added, the Certbot showed me an filename and filecontent we needed to create on our webserver to show that the system is under my control. I’ve created this files via FTP client:

Make sure your web server displays the following content at
https://horstmann.in/.well-known/acme-challenge/Fzxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0 before continuing:
FzfxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxU
Press Enter to Continue 

After this is done, we need to press “Enter”. We get this dialog for every domain added via “-d”. In the next step the files will be checked and if everything is checked Let’s Encrypt will generate our certificate.

Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/horstmann.in/fullchain.pem. Your cert will
   expire on 2017-04-28. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Now we can find our certificates in the folder /etc/letsencrypt . This folder is not accessable via normal user. I have copied and changed ownership of the files to my user to access this files. Here are my steps i’ve done:

sudo cp -r /etc/letsencrypt/ /Users/marco/Documents/sslcert
cd /Users/marco/Documents/sslcert
sudo chown marco *

OK, next step is to add my certificate in my webspace configuration. As a Host Europe customer I have an administration console called KIS. I selected to install the certificate to my domain. As certificate I used “live/horstmann.in/fullchain.pem”. As private key I used the file “live/horstmann.in/privkey.pem”. Password and CA are optional. I installed at the CA the intermediate certificate. I have done this only to be sure that it works. But it should work without it.