Monday, December 31, 2018

How to create a LetsEncrypt certificate manually using certbot

Expired Certificate
If you use certbot to update your SSL certificate you may have noticed some issues over time. Unless you're very good at figuring out Apache and your .htaccess file you might spend several hours searching StackOverflow for a solution and not get anywhere. To add to the complexity, I use a a single hosting account to host several domains all as subdomains of the main host. This means that when I load certbot I have a list of about 60 domains to choose from and for some reason they all act differently with different issues. 

My most recent error was caused because certbot couldn't find the verification file that it placed on the server. I know this was caused by one of my rewrite rules in .htaccess but I really don't want to waste the time each month figuring this stuff out. It has become easier (for me anyway) to run certbot manually and just get it over with. It takes only 5 minutes and I no longer have to deal with random errors that take several hours to debug. So here's how I did it:

I first go to the directory where certbot is installed and run the certbot command with the manual directive as shown:

 ./certbot-auto certonly --manual

Certbot will now ask for the domain name like so:

Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): xxx.example.com

You then get a notification that "the IP of this machine will be publicly logged as having requested this certificate." I answered Yes to this.

You now have to do the big manual step, which is super easy:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

FF-rvRhkGtfLbJIMPfFkkGtDprhPNoKUqHSk4CE.wgSrF1jAzY6T0ve4sdhUZZELm73swjwh

And make it available on your web server at this URL:

http://xxx.example.com/.well-known/acme-challenge/FF-KcrvRhGtfLbJIMfFkvCkGtDDIejijdiuef8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The easiest way to do this is to create the text file manually on your local machine and ftp it to the correct location on the server. Make sure your filename doesn't have any extensions. So in the case of the above the file name should be:

FF-KcrvRhGtfLbJIMfFkvCkGtDDIejijdiuef8

and it should only contain the string:

FF-rvRhkGtfLbJIMPfFkkGtDprhPNoKUqHSk4CE.wgSrF1jAzY6T0ve4sdhUZZELm73swjwh

(I have used a fake name and string above, but you will have your own generated by certbot, don't use the above ;) )

You should get a message that contains the following phrase:

- Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/xxx.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/xxx.nogalis.com/privkey.pem

I had to wait about 10 minutes for some reason for Chrome to show the certificate was updated. 

I know the point of certbot is to automate all this, but when you're having issues and you're in a rush to update the cert this should come in handy.