Forum

Is there a way to use Let's Encrypt native app?

Ron Jones
7 July 2017, 15:18
Is there a simple way for me to use the files as generated by the Let's Encrypt Certbot? Or can I only use the Let's Encrypt script included in Hiawatha?

I've downloaded Let's Encrypt via git, it installs in the /opt/letsencrypt directory. Then used the ./letsencrypt-auto script to register and download certificates for my domain. Easy as pie, right.

The certificates are set up in /etc/letsencrypt/live/mydomain.com/ What you get are the following symlinks:
cert.pem
chain.pem
fullchain.pem
privkey.pem

These files point to a directory where the actual files are located. However, this makes it easy to renew the certs automatically, as they automatically point to the most recent one.

"Each key (.pem) file serves a different purpose:

cert.pem: server certificate only.
chain.pem: root and intermediate certificates only.
fullchain.pem: combination of server, root and intermediate certificates (replaces cert.pem and chain.pem).
privkey.pem: private key (do not share this with anyone!)."

When I use TLScertfile = /path/to/fullchain.pem Hiawatha tells me "Error loading private key"

When I use TLScertfile = /path/to/privkey.pem Hiawatha tells me "Error loading X.509 certificate"

Just to experiment, I tried:
TLScertfile = /path/to/privkey.pem
TLScertfile = /path/to/fullchain.pem

But then I got BOTH error messages

Ron Jones
7 July 2017, 16:07
TL;DR = HA! fixed it. cat /etc/letsencrypt/live/mydomain.com/privkey.pem /etc/letsencrypt/live/mydomain.com/fullchain.pem > /etc/hiawatha/tls/mydomain.pem


*Where privkey.pem and fullchain.pem are symlinks to files located in another directory.

To recap: Let's Encrypt was purchased by the Electronic Frontier Foundation. They have done some adds and upgrades. Among these is a nifty script that will let approve and download your cert in seconds.

I installed Let's Encrypt's Certbot script (which installs in /opt), ran the script (which places your certs in /etc/letsencrypt/live), and was ready to go.

Unfortunately, the format didn't work for Hiawatha. The files written by Let's Encrypt are cert.pem, chain.pem, fullchain.pem, and privkey.pem (cert and chain are legacy/specialized, and not typically used).

Let's Encrypt stores the actual .pem files in /etc/letsencrypt/archive, and then sets up symlinks in /etc/letsencrypt/live/mydomain.com

The reason for this is so that the automated renewal script, and the numbered files it produces, will not cause a hiccup in your connectivity (it recreates clean.pem symlinks at each renewal).

So, just to see if it works, I created a concatenated file made from privkey.pem + fullchain.pem, and located it in /etc/hiawatha/tls/

It seems to work just fine.

Now I'll set a monthly cron to renew my cert, and recreate the concatenated file.
Hugo Leisink
7 July 2017, 21:36
Well done!
This topic has been closed.