Let's Encrypt: The Manual Certificate

2 May, 2016
In this post I'll address one specific task: obtaining a manual certificate from Let's Encrypt.

Who is this for?

If you don't have direct command line access, or the necessary permissions to install Let's Encrypt on your webserver; then you won't be able to obtain a certificate using the automated process.
If you can install Let's Encrypt on your webserver, you should. It simplifies the process down to a single command. You'll also enjoy the benefits of being able to setup an auto renew process directly on the machine serving the certificate.

The process

I'll detail this on OS X, but the commands used should be identical on a Linux machine, and very similar on Windows.
First you'll need to download Let's Encrypt, as detailed on their own guide page.
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
Now initiate the manual process by asking for certonly (i.e. don't also install on current machine), with the manual flag (to verify ownership yourself).
./letsencrypt-auto certonly --manual
You'll be asked for your account password so Let's Encrypt can run with root privileges. If all goes well you'll see the following screen.
Obviously, use your own domain here (remembering to include the www subdomain, and any others you'll need).
You'll then be informed that your current IP address will be publicly logged. If you're okay with that proceed.
You'll then be greeted with the information required to verify ownership of the domain (this will have to be done for each domain/subdomain you requested a certificate for).
The task here is to have the URL specified, display the content specified which is immediately below it. I use git to interact with my webserver, so I am able to perform changes on my local machine, and push them up to the server. That said, the process I detail is by no means the only way to get this done, and indeed, not having a fixed procedure is the very point of manual mode. The important part of this is, that you need to have a specific URL display specific content.
In my local directory I created the beginning of this URL path.
mkdir .well-known
cd .well-known
mkdir acme-challenge
cd acme-challenge
From here, and for each subsequent challenge I ran the following (obviously replacing the details each time for each respective challenge).
Create a directory for the last part of the path Let's Encrypt will look at, and navigate into it.
mkdir OKfgdjplyFseNO_UL9dAzEPAWRMc9S635dPkhiDuBeU
cd OKfgdjplyFseNO_UL9dAzEPAWRMc9S635dPkhiDuBeU
Then I used nano to create an index.php (which will be called when the root of the directory is requested). In this file I set the content to be displayed, and the content-type header to JSON – which appears to be required.Edit: 22 Jul, 2016: This is not required
Here's that index.php file
<?php
header('Content-Type: application/jose+json');
echo "OKfgdjplyFseNO_UL9dAzEPAWRMc9S635dPkhiDuBeU.mbZQ2fFPREisO2DnUXODCju-2hUWFUFHqgzO9MeBIH4";
?>
From here I simply push the changes live via git, and copy-pasted the URL specified by Let's Encrypt into the browser to verify everything was being returned correctly.
Once that was verified, I finally hit enter within the Let's Encrypt window and repeated the same process to verify the domain (without www).
If all went well, a success message should appear indicating you've authenticated ownership of the domains.
If you need a certificate.pfx to upload, then you'll need to create one with open SSL. Navigate to the directory Let's Encrypt told you about, you may also need to prefix that with sudo – the files were probably created with root only access.
sudo cd /etc/letsencrypt/live/www.aidanwoods.com/
Then create a certificate with open SSL as follows
sudo openssl pkcs12 -export -out “certificate.pfx” -inkey “privacy.pem” -in “cert.pem” -certfile “chain.pem”
You'll be prompted to create a password for the certificate. Once you've chosen one, you'll find a certificate.pfx file in that same directory ready to use on your webserver.
For me in Azure, it was just a case of uploading the certificate, and assigning it to both the www and 'naked' domain on my website.

Contact

Questions, clarifications, corrections? Contact me on Twitter @aidantwoods
1 Jan, 2017

Recently I've been working on a drop in class to manage certain "Secure Headers" in PHP.

By "Secure Headers", I'm of course talking about those mentioned in the OWASP Secure Headers Project.

The project, SecureHeaders is available on GitHub.

Why?

If you're familiar with PHP, you'll know that...[read more]

27 Aug, 2016

Disclosure and Google's Response

This one feels very strange writing, because the vulnerability detailed below is currently exploitable. Google has been notified of this vulnerability, yet they have chosen to do nothing.
GoogleThanks for your bug report and research to keep our users secure! We've investigated your submission and made the decision not to track it as a security bug.
In hope that public disclosure will encourage Google to do otherwise, here goes...[read more]
22 May, 2016
Biometric sensors are good at identity. They can tell you exactly who a fingerprint belongs to; who's face is in-front of the camera; even who's DNA was left at a crime-scene. But biometric sensors are not good authenticators.

Replay Attacks

Let's say Bob, thinks it's a good idea to add a voice activated lock to his house...[read more]
4 May, 2016

Preamble

A little over a month ago I contacted my bank (Santander), asking them why they served me their homepage insecurely...[read more]
2 May, 2016
In this post I'll address one specific task: obtaining a manual certificate from Let's Encrypt.

Who is this for?

If you don't have direct command line access, or the necessary permissions to install Let's Encrypt on your webserver; then you won't be able to obtain a certificate using the automated process.
If you can install Let's Encrypt on your webserver, you should. It simplifies the process down to a single command. You'll also enjoy the benefits of being able to setup an auto renew process directly on the machine serving the certificate...[read more]