Skip to content

Certificates with Letsencrypt

To generate the certificates for clients that use letsencrypt:

  • Gather valid certificate(s) for the domain(s), and verify that the private key matches the certificate. We have followed several scenarios with the current prospectors and customers:

    • Collect the certificates and the private key directly from the e-commerce.

    • Export the certificate using the browser with the original website if what the customer provided to us is somehow wrong, and for instance what they consider are the certificates and the private key does not match.

    • Buy certificates.

    • Generate the certificates with the sc_pack.

You can use these commands to verify the match:

$ openssl rsa -modulus -noout -in privkey.pem | openssl md5
(stdin)= 94046b8a7c60fed8c5937a828e28b54d

$ openssl x509 -modulus -noout -in cert.pem | openssl md5
(stdin)= 94046b8a7c60fed8c5937a828e28b54d

If the hashes match then everything is ok, and you can continue with the points below.

  1. Find the Letsencrypt intermediate certificate. You can find it on the letsencrypt website

  2. Concatenate the certificate on the step 1 with the intermediate on the step 2, and name it cert.pem for instance. Have into account that the intermediate should be the last one.

  3. Put the concatenated one cert.pem and the privkey.pem on the same folder, for instance: /home/guest/certs/

  4. Prepare an environment with the sc_pack, let's say on /home/guest/certs, where the devlove.yaml contains the domain

  5. Run the command sc_pack import_certbot_certificates --certbot_certs_root_directory /home/guest/certs (the directory should be exactly the root directory of the directory with the same name as the domain, or where are all the domains).

  6. Find the generated certificates under: /home/guest/certs/shimmercat-scratch-folder/sni-certs/, you should have there two files: cert.pem and privkey.unencrypted-pkcs8.pem.

  7. If you didn't run it on the same server where the domains are installed then copy the certificates to the sc_pack where the domain is deployed under e.g shimmercat-scratch-folder/sni-certs/

  8. Verify the installed certificates with openssl, remember to replace the command with your url and IP:

$ openssl s_client -servername -connect -showcerts

no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 315 bytes
Verification: OK
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
   Protocol  : TLSv1.3
   Cipher    : 0000
   Resumption PSK:
   PSK identity: None
   PSK identity hint: None
   SRP username: None
   Start Time: 1560875388
   Timeout   : 7200 (sec)
   Verify return code: 0 (ok)
   Extended master secret: no
   Max Early Data: 0