Prereq on linux machine, where the domain name is mapped temporarily.
sudo apt-get update sudo apt-get install software-properties-common sudo add-apt-repository universe sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install certbot
sudo certbot certonly --standalone -d mysubdomain.mydomain.com
cd /etc/letsencrypt/live/mysubdomain.mydomain.com/. cd ../../archive/mysubdomain.mydomain.com/
chmod 777 *
openssl pkcs12 -export -out mysubdomain.mydomain.com.pfx -inkey /etc/letsencrypt/live/mysubdomain.myproduct.com/privkey.pem -in /etc/letsencrypt/live/mysubdomain.myproduct.com/fullchain.pem -password pass:yourpassword
privkey1.pem --> prod.ma.key
If your Linux machine is on a closed network via VPN and cannot directly reach Let's Encrypt servers, then using
certbot
with the --standalone
option won't work because it requires port 80 or 443 to be publicly accessible for domain validation.Here are a few alternative approaches you can consider:
✅ Option 1: Use DNS-01 Challenge (Recommended for Closed Networks)
Instead of using the HTTP-01 challenge (which requires public access), use the DNS-01 challenge, which works by creating a DNS TXT record.
sudo certbot certonly --manual --preferred-challenges dns -d mysubdomain.mydomain.com
This will prompt you to create a TXT record like:
_acme-challenge.mysubdomain.mydomain.com
You’ll need to:
- Log in to your DNS provider.
- Add the TXT record with the value certbot gives you.
- Wait for DNS propagation.
- Press Enter to continue.
This method does not require your machine to be publicly accessible, only that you can modify DNS records.
✅ Option 2: Generate the Certificate on a Public Machine
If DNS-01 is not feasible, you can:
- Use a public machine (e.g., a cloud VM) to generate the certificate using Certbot.
- Transfer the certificate files (
fullchain.pem
,privkey.pem
) securely to your VPN machine. - Install them in your web server (e.g., Nginx, Apache).
✅ Option 3: Use a Certificate Authority That Supports Offline CSR
Some CAs (like ZeroSSL) allow you to:
- Generate a Certificate Signing Request (CSR) on your VPN machine.
- Upload the CSR to their web interface.
- Complete validation (via DNS or email).
- Download the signed certificate and install it manually.
how to know where the nginx using the certs folder from?
To find out where Nginx is loading its SSL certificates from, you can check its configuration files. Here's how:
🔍 Step-by-Step: Locate SSL Certificate Paths in Nginx
Find the Nginx config file:
- The main config file is usually at: /etc/nginx/nginx.conf
- It often includes other files from: /etc/nginx/sites-enabled/ /etc/nginx/conf.d/
Search for
ssl_certificate
andssl_certificate_key
directives: Run this command to find them:sudo grep -R "ssl_certificate" /etc/nginx/
Example output:
/etc/nginx/sites-enabled/default:ssl_certificate /etc/letsencrypt/live/mysubdomain.mydomain.com/fullchain.pem; /etc/nginx/sites-enabled/default:ssl_certificate_key /etc/letsencrypt/live/mysubdomain.mydomain.com/privkey.pem;
This tells you:
- Certificate file:
/etc/letsencrypt/live/mysubdomain.mydomain.com/fullchain.pem
- Private key file:
/etc/letsencrypt/live/mysubdomain.mydomain.com/privkey.pem
- Certificate file:
✅ Bonus Tip: Reload Nginx After Updating Certs
If you update or replace the certificate files, reload Nginx to apply changes:
sudo nginx -t # Test config for errors
sudo systemctl reload nginx
No comments:
Post a Comment