Home > Network > SSL > letsencrypt | About

French

How it works

You install a client on your server that contacts the letsencrypt's servers and asks for a certificate. The client generates a private key, a CSR (Certificate Signing Request) and sends it to letsencrtypt's server. Letsencrypt challenges the client to see if it really is controlling the domain it says it does, either by asking it to create a url and put some content into it, which is proof that the client controls the domain, otherwise it wouldn't be able to add webpages with specific content. If the client passes the challenge, then letsencrypt's server delivers the certificate and the client installs it. Simple.

When the certificate is about to expire, you can use the client to ask for a new one so you always have a valid certificate, or you can define a cron job that does this for you.

Questions

  1. What if a server is compromised ?

Then it's compromised, certificate or no certificate. You are already doomed, SSL or not.

  1. What if the client is compromised ? It could send my private key to anybody since it knows where it lives !

Then just ask for the certificate, use diafygi's script

Steps to manually get a signed certificate with diafygi's script

1. Generate a private/public key pair to create an account on letsencrypt. This is your personal certificate, not the one you'll be installing on the server.

2. Generate a private/public key for your domain.

3. Generate a CSR with your server's private key

4. Use the python script to request the signing of that certificate from letsencrypt and just follow the instructions. Here's a real-world example (click here for wide-screen version):

root@messagerie[10.10.10.19] /var/clone-messagerie-secours/root/SSL/LETSENCRYPT # python sign_csr.py -p user_account.public_key certificate_request.csr 
Reading pubkey file...
Found public key!
Reading csr file...
Found domains messagerie.algerian-radio.dz
STEP 1: What is your contact email? (webmaster@messagerie.algerian-radio.dz) a.chaouche@algerian-radio.dz
Building request payloads...
Building request for messagerie.algerian-radio.dz...
Building request for CSR...
STEP 2: You need to sign some files (replace 'user.key' with your user private key).

openssl dgst -sha256 -sign user.key -out register_k39v_G.sig register_AqHzwx.json
openssl dgst -sha256 -sign user.key -out domain_AETTGo.sig domain_EhZdjx.json
openssl dgst -sha256 -sign user.key -out cert_aGH53i.sig cert_Ouepp_.json

Press Enter when you've run the above commands in a new terminal window...
===================
root@messagerie[10.10.10.19] /var/clone-messagerie-secours/root/SSL/LETSENCRYPT # openssl dgst -sha256 -sign user_account.private_key -out register_k39v_G.sig register_AqHzwx.json
root@messagerie[10.10.10.19] /var/clone-messagerie-secours/root/SSL/LETSENCRYPT # openssl dgst -sha256 -sign user_account.private_key -out domain_AETTGo.sig domain_EhZdjx.json
root@messagerie[10.10.10.19] /var/clone-messagerie-secours/root/SSL/LETSENCRYPT # openssl dgst -sha256 -sign user_account.private_key -out cert_aGH53i.sig cert_Ouepp_.json
root@messagerie[10.10.10.19] /var/clone-messagerie-secours/root/SSL/LETSENCRYPT # 
===================
Registering a.chaouche@algerian-radio.dz...
Already registered. Skipping...
Requesting challenges for messagerie.algerian-radio.dz...
Building challenge responses for messagerie.algerian-radio.dz...
STEP 3: You need to sign some more files (replace 'user.key' with your user private key).

openssl dgst -sha256 -sign user.key -out challenge_bUXIwz.sig challenge_DJv0DO.json

Press Enter when you've run the above commands in a new terminal window...
====================
root@messagerie[10.10.10.19] /var/clone-messagerie-secours/root/SSL/LETSENCRYPT # openssl dgst -sha256 -sign user_account.private_key -out challenge_bUXIwz.sig challenge_DJv0DO.json
root@messagerie[10.10.10.19] /var/clone-messagerie-secours/root/SSL/LETSENCRYPT # 
====================
STEP 4: You need to run this command on messagerie.algerian-radio.dz (don't stop the python command until the next step).

sudo python -c "import BaseHTTPServer; \
    h = BaseHTTPServer.BaseHTTPRequestHandler; \
    h.do_GET = lambda r: r.send_response(200) or r.end_headers() or r.wfile.write('DB\
fBDLZMNYlT1Jy0_0Yq529G4_KSOSa4zGFaTiRO47g.SVQ4p6uO0wMrR8mris22a0GHQQ4iN61g5kjVyJEmcVg\
'); \
    s = BaseHTTPServer.HTTPServer(('0.0.0.0', 80), h); \
    s.serve_forever()"

Press Enter when you've got the python command running on your server...
======================


root@messagerie[10.10.10.19] /var/clone-messagerie-secours/root/SSL/LETSENCRYPT # pyt\
hon -c "import BaseHTTPServer; \
>     h = BaseHTTPServer.BaseHTTPRequestHandler; \
>     h.do_GET = lambda r: r.send_response(200) or r.end_headers() or r.wfile.write('\
DB\
> fBDLZMNYlT1Jy0_0Yq529G4_KSOSa4zGFaTiRO47g.SVQ4p6uO0wMrR8mris22a0GHQQ4iN61g5kjVyJEmc\
Vg\
> '); \
>     s = BaseHTTPServer.HTTPServer(('0.0.0.0', 80), h); \
>     s.serve_forever()"
192.168.211.126 - - [01/Jun/2016 15:12:33] "GET / HTTP/1.1" 200 -
192.168.211.126 - - [01/Jun/2016 15:12:34] "GET /favicon.ico HTTP/1.1" 200 -
192.168.211.126 - - [01/Jun/2016 15:12:34] "GET /favicon.ico HTTP/1.1" 200 -
====================
Passed messagerie.algerian-radio.dz challenge!
Requesting signature...
Certificate signed!
You can stop running the python command on your server (Ctrl+C works).
-----BEGIN CERTIFICATE-----
MIIGHDCCBQSgAwIBAgISA69v2KEZkRaO3Ei3yK5iMk5pMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
[...]
ZDvXhmyIfnk8r5rMfjJUzcYHuGoN9DcqlhsOFh+9o+PLjj3etaQuAOI/yF7LMIGo
zBvXyNxLGLDrkEI2Xf/bhxvY+C2BffVgHOfJSSb0MCA=
-----END CERTIFICATE-----

contact : @ychaouche yacinechaouche at yahoocom


QR Code
QR Code How it works (generated for current page)