Tech:SSL certificates

Let's Encrypt is a Certificate Authority that issues free SSL certificates. While it's a nice project, their own Let's Encrypt client is terrible, and getting the actual certs is a bit tricky (compared to other CAs). I'll explain that here. We'll use the acme-tiny client, which is a few thousand times better than the official client.

These steps should be ran on mw1, and are only intended for operations members. I've used allthetropes.org and www.allthetropes.org as a real example here.

Get the cert
root@mw1:~/acme-tiny# openssl genrsa 2048 > allthetropes.key Generating RSA private key, 2048 bit long modulus ...............................................+++ ..........................................................................................................+++ e is 65537 (0x10001) root@mw1:~/acme-tiny# openssl req -new -sha256 -key allthetropes.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:allthetropes.org,DNS:www.allthetropes.org")) > allthetropes.csr root@mw1:~/acme-tiny# python acme_tiny.py --account-key account.key --csr allthetropes.csr --acme-dir /var/www/challenges/ > allthetropes.org.crt
 * Step 1: generate a private key:
 * Step 2: generate a CSR for the domain:
 * Step 3: get the actual cert:
 * Step 4: Upload the cert (be sure to include the intermediate/root certs too!) and private key, and you can use it.

Renewing the cert
Renewing the cert is, as long as you did not delete the files in /root/acme-tiny, very easy: python /path/to/acme_tiny.py --account-key account.key --csr allthetropes.org.csr --acme-dir /var/www/challenges/ > allthetropes.org.crt Then, follow step 4 again, and done.