Let's Encrypt: The Manual Certificate

1 May 2016

In this post I'll address one specific task: obtaining a manual certificate from Let's Encrypt.

Who is this for?

If you don't have direct command line access, or the necessary permissions to install Let's Encrypt on your webserver; then you won't be able to obtain a certificate using the automated process.

If you can install Let's Encrypt on your webserver, you should. It simplifies the process down to a single command. You'll also enjoy the benefits of being able to setup an auto renew process directly on the machine serving the certificate.

The process

I'll detail this on OS X, but the commands used should be identical on a Linux machine, and very similar on Windows.

First you'll need to download Let's Encrypt, as detailed on their own guide page.

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

Now initiate the manual process by asking for certonly (i.e. don't also install on current machine), with the manual flag (to verify ownership yourself).

./letsencrypt-auto certonly --manual

You'll be asked for your account password so Let's Encrypt can run with root privileges. If all goes well you'll see the following screen.

Obviously, use your own domain here (remembering to include the www subdomain, and any others you'll need).

You'll then be informed that your current IP address will be publicly logged. If you're okay with that proceed.

You'll then be greeted with the information required to verify ownership of the domain (this will have to be done for each domain/subdomain you requested a certificate for).

The task here is to have the URL specified, display the content specified which is immediately below it. I use git to interact with my webserver, so I am able to perform changes on my local machine, and push them up to the server. That said, the process I detail is by no means the only way to get this done, and indeed, not having a fixed procedure is the very point of manual mode. The important part of this is, that you need to have a specific URL display specific content.

In my local directory I created the beginning of this URL path.

mkdir .well-known
cd .well-known
mkdir acme-challenge
cd acme-challenge

From here, and for each subsequent challenge I ran the following (obviously replacing the details each time for each respective challenge).

Create a directory for the last part of the path Let's Encrypt will look at, and navigate into it.

mkdir OKfgdjplyFseNO_UL9dAzEPAWRMc9S635dPkhiDuBeU
cd OKfgdjplyFseNO_UL9dAzEPAWRMc9S635dPkhiDuBeU

Then I used nano to create an index.php (which will be called when the root of the directory is requested). In this file I set the content to be displayed, and the content-type header to JSON – ~~which appears to be required.~~Edit: 22 Jul, 2016: This is not required

Here's that index.php file

<?php
header('Content-Type: application/jose+json');
echo "OKfgdjplyFseNO_UL9dAzEPAWRMc9S635dPkhiDuBeU.mbZQ2fFPREisO2DnUXODCju-2hUWFUFHqgzO9MeBIH4";
?>

From here I simply push the changes live via git, and copy-pasted the URL specified by Let's Encrypt into the browser to verify everything was being returned correctly.

Once that was verified, I finally hit enter within the Let's Encrypt window and repeated the same process to verify the domain (without www).

If all went well, a success message should appear indicating you've authenticated ownership of the domains.

If you need a certificate.pfx to upload, then you'll need to create one with open SSL. Navigate to the directory Let's Encrypt told you about, you may also need to prefix that with sudo – the files were probably created with root only access.

sudo cd /etc/letsencrypt/live/www.aidanwoods.com/

Then create a certificate with open SSL as follows

sudo openssl pkcs12 -export -out “certificate.pfx” -inkey “privacy.pem” -in “cert.pem” -certfile “chain.pem”

You'll be prompted to create a password for the certificate. Once you've chosen one, you'll find a certificate.pfx file in that same directory ready to use on your webserver.

For me in Azure, it was just a case of uploading the certificate, and assigning it to both the www and 'naked' domain on my website.

Contact

Questions, clarifications, corrections? Contact me on Twitter @aidantwoods

CryptoKit compactRepresentation Reduces Elliptic Curve Key-Space

31 May 2022

Prelude

compactRepresentation is a public key output format, made available when using outputting public elliptic curve keys from within Apple's CryptoKit. compactRepresentation is comparable to a "compressed point", where the former is one byte shorter. These two representations are very similar, but not the same...[read more]

Building a WiFi Enabled USB Rubber Ducky with a Raspberry Pi 0 w

16 May 2017

Leveraging the new RPi0w to build a WiFi enabled keystroke injection tool (a.k.a. USB Rubber Ducky with WiFi)...[read more]

Secure Headers for PHP

1 January 2017

Recently I've been working on a drop in class to manage certain "Secure Headers" in PHP.

By "Secure Headers", I'm of course talking about those mentioned in the OWASP Secure Headers Project.

The project, SecureHeaders is available on GitHub.

Why?

If you're familiar with PHP, you'll know that...[read more]

Aidan Woods