[BlueOnyx:18728] Re: SSL Certificates (via Let's Encrypt) - > available for 5209R (Tigerwolf)

Michael Stauber mstauber at blueonyx.it
Sun Dec 6 14:06:58 -05 2015 

Hi Neil,

> However, I can't (at the moment!) figure out how to make something that 
> Apache likes (in the /home/sites/..../certs directory) - so any clues as 
> to get openssl/whatever to do it welcome (pretty please!)

Here is the entire "on foot" procedure how to generate Apache SSL certs
with the Let's Encrypt client from the CLI:

My starting point: BlueOnyx with Vsite www.domain.com. According to CCE
this is "site2" and the DocumentRoot is /home/.sites/143/site2/web

You will need to know the "siteX"-number and the DocumentRoot for this.
You can see both if you got to the /web directory of the Vsite and do an
"ls -als" and a "pwd". The site-number is the GID of the Vsite and the
path you need is the full path to the public /web directory.

1.) Make request:

./letsencrypt-auto certonly -a webroot --webroot-path
/home/.sites/143/site2/web -d www.domain.com -d domain.com --email
user at domain.com --agree-tos --renew-by-default

2.) Check result:

Take note where the client stores the certs. In the above case it'll
probably be something like this:

/etc/letsencrypt/live/www.domain.com/

It actually has only the symlinks to the certs in it, but that's good
enough for this procedure.

3.) Import Intermediate:

/usr/sausalito/sbin/ssl_import.pl -group site2 -type caCert
/etc/letsencrypt/live/www.domain.com/chain.pem -ca-ident "LetsEncrypt"

Note the "group2" in there. You will need to change that to the group #
your Vsite has.

4.) Convert private key from PKCS#8 key to PKCS#1:

cd /etc/letsencrypt/live/www.domain.com/
openssl rsa -in privkey.pem -out key_pcs1.pem

5.) Create combined key + cert for import:

cd /etc/letsencrypt/live/www.domain.com/
cat key_pcs1.pem cert.pem > site2.cert

6.) Import it:

cd /etc/letsencrypt/live/www.domain.com/
/usr/sausalito/sbin/ssl_import.pl -group site2 -type server site2.cert

7.) Go to the GUI of that VSite and check the "SSL" menu entry for it.
It should show the "Let's Encrypt" cert there as active and should have
the "LetsEncrypt" Intermediate under "Cert Authorities".

So what you were missing was the step #4 where I converted the key to
PKCS#1 format.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list