Certificates with Letsencrypt
To generate the certificates for clients that use letsencrypt:
Gather valid certificate(s) for the domain(s), and verify that the private key matches the certificate. We have followed several scenarios with the current prospectors and customers:
Collect the certificates and the private key directly from the e-commerce.
Export the certificate using the browser with the original website if what the customer provided to us is somehow wrong, and for instance what they consider are the certificates and the private key does not match.
Generate the certificates with the sc_pack.
You can use these commands to verify the match:
$ openssl rsa -modulus -noout -in privkey.pem | openssl md5 (stdin)= 94046b8a7c60fed8c5937a828e28b54d $ openssl x509 -modulus -noout -in cert.pem | openssl md5 (stdin)= 94046b8a7c60fed8c5937a828e28b54d
If the hashes match then everything is ok, and you can continue with the points below.
Find the Letsencrypt intermediate certificate. You can find it on the letsencrypt website https://letsencrypt.org/certificates/.
Concatenate the certificate on the step 1 with the intermediate on the step 2, and name it
cert.pemfor instance. Have into account that the intermediate should be the last one.
Put the concatenated one
privkey.pemon the same folder, for instance:
Prepare an environment with the sc_pack, let's say on
/home/guest/certs, where the
devlove.yamlcontains the domain
Run the command
sc_pack import_certbot_certificates --certbot_certs_root_directory /home/guest/certs(the directory should be exactly the root directory of the directory with the same name as the domain, or where are all the domains).
Find the generated certificates under:
/home/guest/certs/shimmercat-scratch-folder/sni-certs/www.test.com, you should have there two files:
If you didn't run it on the same server where the domains are installed then copy the certificates to the sc_pack where the domain is deployed under e.g
Verify the installed certificates with openssl, remember to replace the command with your url and IP:
$ openssl s_client -servername www.test.com -connect 220.127.116.11:443 -showcerts CONNECTED(00000003) write:errno=0 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 315 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.3 Cipher : 0000 Session-ID: Session-ID-ctx: Resumption PSK: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1560875388 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0