Let’s Encrypt – Export Client Certificate from Let’s Encrypt Certificates

certbotlets-encryptssl

I'm running Debian and have certbot for creating Let's Encrypt certificate.

I act as client towards a TLS server, and needs to handover my client certificate for approval.

I've got the following files generated by certbot:

/etc/letsencrypt/live/my-client-server-domain/privkey.pem
/etc/letsencrypt/live/my-client-server-domain/fullchain.pem
/etc/letsencrypt/live/my-client-server-domain/chain.pem

Which certificate should I handover, and is it safe to share public?

Best Answer

You need to keep /etc/letsencrypt/live/my-client-server-domain/privkey.pem private as it contains the private key for your certificate.

You can hand out one ofthese two files:

/etc/letsencrypt/live/my-client-server-domain/chain.pem
/etc/letsencrypt/live/my-client-server-domain/fullchain.pem

You might want to share the /etc/letsencrypt/live/my-client-server-domain/fullchain.pem as it contains intemediate certificates if those were used by Let's Encrypt. The recipient can extract your certificate from it in case it is needed.

Related Solutions

Let’s Encrypt – How to Use Let’s Encrypt as a Free SSL Certificate Provider

I have written a pair of how-tos for running Let's Encrypt SSL certs on CentOS: initial setup & cronning it.

And my per-domain (I use the file naming convention of z-<[sub-]domain-tld>.conf) Apache config files look like this:

<VirtualHost *:80>
ServerName domain.tld
Redirect permanent / https://domain.tld/
</VirtualHost>

<VirtualHost *:443>
    SSLCertificateFile /etc/letsencrypt/live/domain.tld/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/domain.tld/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/domain.tld/fullchain.pem
    DocumentRoot /var/www/domain
    ServerName domain.tld
    ErrorLog logs/domain-error_log
    CustomLog logs/domain-access_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    ServerAdmin user@domain.tld

    SSLEngine on

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

    <Directory "/var/www/domain">
         Options All +Indexes +FollowSymLinks
         AllowOverride All
         Order allow,deny
         Allow from all
    </Directory>

</VirtualHost>

And my ssl.conf looks like this:

#SSL options for all sites
Listen 443
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
Mutex sysvsem default
SSLRandomSeed startup file:/dev/urandom  1024
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
SSLCompression          off
SSLHonorCipherOrder     on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

Using Let's Encrypt to get SSL certs (and get your site up to an "A" rating from SSL Labs) is pretty straight-forward - once you get past some of the arcana of the Apache configs and LE command-line arguments.

Why is Let’s Encrypt now failing to look up an A record from Pragmatometer.com

My best guess is that there was an intermittent / short-lived DNS failure / timeout from the Let's Encrypt side (or maybe you happen to be on a slow connection).

Indeed, a quick check of the core error message ("query timed out looking up A for" site:letsencrypt.org) reveals some reports on the LE forum site like this one.

Try again in a little bit, and you should be golden.

Best Answer

Related Solutions

Let’s Encrypt – How to Use Let’s Encrypt as a Free SSL Certificate Provider

Why is Let’s Encrypt now failing to look up an A record from Pragmatometer.com

Related Topic