8. Certificates with Let’s Encrypt¶
To generate the certificates for clients that use Let’s Encrypt:
Gather valid certificate(s) for the domain(s) and verify that the private key
privkey.pemmatches the certificate
cert.pem. You can use the below commands to verify the match:
$ openssl rsa -modulus -noout -in privkey.pem | openssl md5 (stdin)= 94046b8a7c60fed8c5937a828e28b54d $ openssl x509 -modulus -noout -in cert.pem | openssl md5 (stdin)= 94046b8a7c60fed8c5937a828e28b54d
If the hashes match then everything is ok, and you can continue with the points below.
Find the Let’s Encrypt intermediate certificate. You can find it on the Let’s Encrypt website https://letsencrypt.org/certificates/.
Concatenate the certificate obtained for the domain in step 1, with the intermediate certificate provided by the CA (Let’s Encrypt) in step 2. Save the concatenated file as
cert.pem. Note that the intermediate should be the last one. The resulting file will look something like below:
-----BEGIN CERTIFICATE----- MIIDnDCCAoSgAwIBAgIBDT... ...etc -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ...etc ...8tY2Y5VAczOl7IE6L9gT1g== -----END CERTIFICATE-----
Put the concatenated file
privkey.pemin the same folder, for instance:
Prepare an environment with
sc_pack, for example in
/home/guest/certs, where the
devlove.yamlcontains the domain
Run the command
sc_pack import_certbot_certificates --certbot_certs_root_directory /home/guest/certs(the directory should be exactly the root directory of the directory with the same name as the domain, or where are all the domains).
Find the generated certificates under:
/home/guest/certs/shimmercat-scratch-folder/sni-certs/www.test.com, you should have there two files:
If you didn’t run it on the same server where the domains are installed then copy the certificates to the sc_pack where the domain is deployed under e.g
Verify the installed certificates with openssl, remember to replace the command with your url and IP:
$ openssl s_client -servername www.test.com -connect 220.127.116.11:443 -showcerts CONNECTED(00000003) write:errno=0 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 315 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.3 Cipher : 0000 Session-ID: Session-ID-ctx: Resumption PSK: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1560875388 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0