/letsencrypt-nosudo

Free HTTPS certificates without having to trust the letsencrypt cli with sudo/root

Primary LanguagePythonGNU Affero General Public License v3.0AGPL-3.0

#Let's Encrypt Pragmatic

The Let's Encrypt initiative is a fantastic program that is going to offer free https certificates! This is an alternative to their command program to get a free certificate.

You generate your private key and certificate signing request (CSR) like normal, then run sign_csr.py with your CSR to get it signed. The script goes through the ACME protocol with the Let's Encrypt certificate authority and outputs the signed certificate to stdout.

Different from the original letsencrypt-nosudo it

  • it is meant to run on a different machine (probably your pc) than the server serving the domain
  • does not require sudo to start a python home grown webserver because:
  • you probably already have a https running
  • the script does /not/ run on the server
  • it does not require you to issue commands manuall (instead it can fire these commands itself)

#How to

##Do Once

  • install openssl and python2 if not available
  • create an user account key if not already done
openssl genrsa 4096 > user.key
openssl rsa -in user.key -pubout > user.pub
  • create the domain key
openssl genrsa 4096 > example.com.key
  • a certificate request if not already done
openssl req -new -sha256 -key example.com.key -subj "/CN=example.com" > example.com.csr
# or for multiple domains:
openssl req -new -sha256 -key example.com.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com")) > example.com.csr
  • get the intermediate cert for the chain
wget https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem
  • make sure .well-known/acme-challenge is served by the httpd, the script puts a file there which is retreived by letsencrypt

##Loop

  • you run the script using python and passing in the path to your user account public key and the domain CSR. The paths can be relative or absolute.
python sign_csr.py \
	--email=webmaster@example.com \
	--private-key user.key \
	--ssh-host sample.com \
	--docroot /var/www/sample.com/ \
	--public-key user.pub \
	sample.com.csr \
	> sample.com.crt
  • chain the cert
cat sample.com.crt lets-encrypt-x1-cross-signed.pem > sample.com.chained.pem
  • copy the cert to the server
  • restart httpd

##Insides

The functionality of the original script was mostly kept intact. instead additional parameters were added which, if given trigger the automatism to use the private key or copy to the server via ssh. If you do not provide these informations the script still spits out command to issue to progress to the next step.

##Donate

If this script is useful to you, please donate to the EFF. I don't work there, but they do fantastic work.

https://eff.org/donate/