8. Certificates with Let’s Encrypt¶
To generate the certificates for clients that use Let’s Encrypt:
Gather valid certificate(s) for the domain(s) and verify that the private key
privkey.pem
matches the certificatecert.pem
. You can use the below commands to verify the match:
$ openssl rsa -modulus -noout -in privkey.pem | openssl md5
(stdin)= 94046b8a7c60fed8c5937a828e28b54d
$ openssl x509 -modulus -noout -in cert.pem | openssl md5
(stdin)= 94046b8a7c60fed8c5937a828e28b54d
If the hashes match then everything is ok, and you can continue with the points below.
Find the Let’s Encrypt intermediate certificate. You can find it on the Let’s Encrypt website https://letsencrypt.org/certificates/.
Concatenate the certificate obtained for the domain in step 1, with the intermediate certificate provided by the CA (Let’s Encrypt) in step 2. Save the concatenated file as
cert.pem
. Note that the intermediate should be the last one. The resulting file will look something like below:
-----BEGIN CERTIFICATE-----
MIIDnDCCAoSgAwIBAgIBDT...
...etc
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...etc
...8tY2Y5VAczOl7IE6L9gT1g==
-----END CERTIFICATE-----
Put the concatenated file
cert.pem
and theprivkey.pem
in the same folder, for instance:/home/guest/certs/www.test.com
Prepare an environment with
sc_pack
, for example in/home/guest/certs
, where thedevlove.yaml
contains the domainwww.test.com
.Run the command
sc_pack import_certbot_certificates --certbot_certs_root_directory /home/guest/certs
(the directory should be exactly the root directory of the directory with the same name as the domain, or where are all the domains).Find the generated certificates under:
/home/guest/certs/shimmercat-scratch-folder/sni-certs/www.test.com
, you should have there two files:cert.pem
andprivkey.unencrypted-pkcs8.pem
.If you didn’t run it on the same server where the domains are installed then copy the certificates to the sc_pack where the domain is deployed under e.g
shimmercat-scratch-folder/sni-certs/www.test.com
Verify the installed certificates with openssl, remember to replace the command with your url and IP:
$ openssl s_client -servername www.test.com -connect 168.52.94.245:443 -showcerts
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 315 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Resumption PSK:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1560875388
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0