Skip to content

Certificates with Let's Encrypt

To generate the certificates for clients that use Let's Encrypt:

  1. Gather valid certificate(s) for the domain(s) and verify that the private key privkey.pem matches the certificate cert.pem. You can use the below commands to verify the match:
$ openssl rsa -modulus -noout -in privkey.pem | openssl md5
(stdin)= 94046b8a7c60fed8c5937a828e28b54d

$ openssl x509 -modulus -noout -in cert.pem | openssl md5
(stdin)= 94046b8a7c60fed8c5937a828e28b54d

If the hashes match then everything is ok, and you can continue with the points below.

  1. Find the Let's Encrypt intermediate certificate. You can find it on the Let's Encrypt website https://letsencrypt.org/certificates/.

  2. Concatenate the certificate obtained for the domain in step 1, with the intermediate certificate provided by the CA (Let's Encrypt) in step 2. Save the concatenated file as cert.pem. Note that the intermediate should be the last one. The resulting file will look something like below:

-----BEGIN CERTIFICATE-----
MIIDnDCCAoSgAwIBAgIBDT...
...etc
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...etc
...8tY2Y5VAczOl7IE6L9gT1g==
-----END CERTIFICATE-----
  1. Put the concatenated file cert.pem and the privkey.pem in the same folder, for instance: /home/guest/certs/www.test.com

  2. Prepare an environment with sc_pack, for example in /home/guest/certs, where the devlove.yaml contains the domain www.test.com.

  3. Run the command sc_pack import_certbot_certificates --certbot_certs_root_directory /home/guest/certs (the directory should be exactly the root directory of the directory with the same name as the domain, or where are all the domains).

  4. Find the generated certificates under: /home/guest/certs/shimmercat-scratch-folder/sni-certs/www.test.com, you should have there two files: cert.pem and privkey.unencrypted-pkcs8.pem.

  5. If you didn't run it on the same server where the domains are installed then copy the certificates to the sc_pack where the domain is deployed under e.g shimmercat-scratch-folder/sni-certs/www.test.com

  6. Verify the installed certificates with openssl, remember to replace the command with your url and IP:

$ openssl s_client -servername www.test.com -connect 168.52.94.245:443 -showcerts

CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 315 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
   Protocol  : TLSv1.3
   Cipher    : 0000
   Session-ID:
   Session-ID-ctx:
   Resumption PSK:
   PSK identity: None
   PSK identity hint: None
   SRP username: None
   Start Time: 1560875388
   Timeout   : 7200 (sec)
   Verify return code: 0 (ok)
   Extended master secret: no
   Max Early Data: 0