Wednesday, March 6, 2024

Lets encrypt certificate generate on linux machine

Prereq on linux machine, where the domain name is mapped temporarily.

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot

Open port 80 for the VM in order for Certbot to be able to perform domain validation.

sudo certbot certonly --standalone -d mysubdomain.mydomain.com

After this, Certbot would have created the certificate files at 


cd /etc/letsencrypt/live/mysubdomain.mydomain.com/.
cd  ../../archive/mysubdomain.mydomain.com/

Now copy these files to any documents folder and change the ownership to user or set permissions to everyone.


chmod 777 *

After copying the same files to your windows machine you can generate pfx file by running below command from git bash window.

To copy file to your machine: scp azureuser@52.140.7.36:/home/azureuser/prodwindows.pfx .

Convert to pfx file with password.

openssl pkcs12 -export -out mysubdomain.mydomain.com.pfx -inkey /etc/letsencrypt/live/mysubdomain.myproduct.com/privkey.pem -in /etc/letsencrypt/live/mysubdomain.myproduct.com/fullchain.pem -password pass:yourpassword
To use with apache server:

fullchain1.pem --> prod.ma.crt
privkey1.pem -->  prod.ma.key


When you are using a closed network where no public ip for the linux machine:

If your Linux machine is on a closed network via VPN and cannot directly reach Let's Encrypt servers, then using certbot with the --standalone option won't work because it requires port 80 or 443 to be publicly accessible for domain validation.

Here are a few alternative approaches you can consider:


Option 1: Use DNS-01 Challenge (Recommended for Closed Networks)

Instead of using the HTTP-01 challenge (which requires public access), use the DNS-01 challenge, which works by creating a DNS TXT record.

sudo certbot certonly --manual --preferred-challenges dns -d mysubdomain.mydomain.com

This will prompt you to create a TXT record like:

_acme-challenge.mysubdomain.mydomain.com

You’ll need to:

  • Log in to your DNS provider.
  • Add the TXT record with the value certbot gives you.
  • Wait for DNS propagation.
  • Press Enter to continue.

This method does not require your machine to be publicly accessible, only that you can modify DNS records.


Option 2: Generate the Certificate on a Public Machine

If DNS-01 is not feasible, you can:

  1. Use a public machine (e.g., a cloud VM) to generate the certificate using Certbot.
  2. Transfer the certificate files (fullchain.pem, privkey.pem) securely to your VPN machine.
  3. Install them in your web server (e.g., Nginx, Apache).

Option 3: Use a Certificate Authority That Supports Offline CSR

Some CAs (like ZeroSSL) allow you to:

  • Generate a Certificate Signing Request (CSR) on your VPN machine.
  • Upload the CSR to their web interface.
  • Complete validation (via DNS or email).
  • Download the signed certificate and install it manually.


how to know where the nginx using the certs folder from?


To find out where Nginx is loading its SSL certificates from, you can check its configuration files. Here's how:


🔍 Step-by-Step: Locate SSL Certificate Paths in Nginx

  1. Find the Nginx config file:

    • The main config file is usually at: /etc/nginx/nginx.conf
    • It often includes other files from: /etc/nginx/sites-enabled/ /etc/nginx/conf.d/
  2. Search for ssl_certificate and ssl_certificate_key directives: Run this command to find them:

    sudo grep -R "ssl_certificate" /etc/nginx/
    

    Example output:

    /etc/nginx/sites-enabled/default:ssl_certificate /etc/letsencrypt/live/mysubdomain.mydomain.com/fullchain.pem;
    /etc/nginx/sites-enabled/default:ssl_certificate_key /etc/letsencrypt/live/mysubdomain.mydomain.com/privkey.pem;
    

    This tells you:

    • Certificate file: /etc/letsencrypt/live/mysubdomain.mydomain.com/fullchain.pem
    • Private key file: /etc/letsencrypt/live/mysubdomain.mydomain.com/privkey.pem

✅ Bonus Tip: Reload Nginx After Updating Certs

If you update or replace the certificate files, reload Nginx to apply changes:

sudo nginx -t   # Test config for errors
sudo systemctl reload nginx





No comments:

Post a Comment