These will be generated in the directory CertificateSigningRequests/
You first need to have created a SSL configuration, eg my-family.cnf
Note the earlier comment about needing a capable shell: use ksh
or bash
Use su
to become the user rsa
Run CreateSigningRequests
, eg:
# su rsa -c 'bin/CreateSigningRequests my-family'
If you wish you can look at the request:
$ openssl req -noout -text -in CertificateSigningRequests/my-family.csr
What you are really testing is that Apache is correctly configured so that Let's Encrypt can ascertain that it should sign the request.
Run CheckSiteAccess
, eg:
# su rsa -c 'bin/CheckSiteAccess my-family'
If this does not work — fix your Apache configuration. Did you restart Apache ?
It should work since you just tested that the location /.well-known/acme-challenge/
is visible
Use su
to become the user acme
Run GetSignedCertificate
, eg:
# su acme -c 'bin/GetSignedCertificate my-family'
If you wish you can look at the certificate:
$ openssl x509 -in SignedCertificates/my-family.crt -text -noout
Two important fields are the dates, you don't want to use an expired certificate:
$ openssl x509 -in SignedCertificates/my-family.crt -text -noout | grep 'Not '
Also check the sites that it is valid for::
$ openssl x509 -in SignedCertificates/my-family.crt -text -noout | sed -e '/DNS/!d' -e 's/, DNS:/\n/g' -e 's/^ \+DNS://'
This gives nice output:
$ nmap --script ssl-cert -p 443 www.phcomp.co.uk
Next page: Second edit of Apache configuration to install certificates
Return to How to Configure Let's Encrypt with acme_tiny.py
Return to tutorial home.
If you want any help using the above, or have any comments or suggestions, please contact us.