Hello,
First of all, thank you so much for this great service.
I’m a beginner and wants to use your service. The Let’s Encrypt has a lot of documents for creating SSL/TLS and…but, most of them are not OK for a beginner like me.
I have some questions and I’m thankful if you help me.
1- For use the Let’s Encrypt service, my website must be up? For example, I have a web server and a domain like “mywebsite.my”. If my web server is down then can I create the SSL/TLS key?
2- I’m using the Openfire server for instant messaging and it has not any Apache or Nginx web server, then how can I use Let’s Encrypt SSL/TLS keys?
A1. For typical HTTP authentication, yes.
But you also choose to have certbot spin up a temporary web server and process the challenge requests itself.
Which it good in situations when you need a cert bit NOT to be used by a web server (eg Mail Servers)
But there are also other authentication request types; namely DNS, which doesn't involve a web server at all. The entire authentication process happens in your DNS zone.
A2. See A1.
The simplest solution to getting a cert is to have cerbot spin up a temporary web server and process the authentication requests itself. You only need to allow port 80 to reach the system where certbot will run.
But to answer your question "how can I use Let’s Encrypt SSL/TLS keys?"
That depends entirely on your "Openfire server". There should be some documentation on how they run their server securely.
Some ACME clients, like certbot, can spin up a temporary webserver solely for the validation of the hostname. It is not required to have your own webserver. However, it is required to have an open port 80 in case of certbots internal webserver. Some other clients might have temporary solutions using port 443.
Also, it's possible to use the dns-01 challenge which doesn't use a webserver at all, but (and this shouldn't come as a surprise) uses DNS.
I would recommend the certificatemanager plugin for Openfire if you're not using Openfire 3.2 or newer. According to the manual SSL guide (I don't recommend this manual guide though!) Openfire 3.2 and newer should have some kind of certificate manager in the Admin Console. I'm not sure if this is the same certificatemanager plugin I linked to earlier, but it could be.
Thank you so much for your great help.
Excuse me, what is you mean by a temporary webserver? If I install a Linux distro that connecting to the internet directly, then can I use “certbot” to generate the keys or I must install a web server program like Apache on Linux to generate the keys?
I’m using the Openfire on the Windows OS. If I generated the keys on Linux, then can I use them on the Windows OS?
My website is a subdomain.
Can you show me the commands that I need for generating the keys on the Linux step by step?
Yes, that would allow you to issue a certificate (the corresponding private key would be generated by the client itself) from Let's Encrypt, assuming you've got a publically resolvable hostname.
No, certbot can use a specific Python module to temporarily set up a webserver program. No Apache or nginx is required.
Also, again, you keep refering to "the keys", which suggests to me you don't really understand TLS that much. Please read something like SSL and SSL Certificates Explained For Beginners to learn more about TLS and the components like certificates and public/private keys. (Note: the guide mentions "Commercial Certificates" and "commercial certificate authorities". This includes Let's Encrypt, even when the certificates from Let's Encrypt are free, as in, free beer! )
The ACME client called certbot from EFF, officially recommended by Let's Encrypt, has a beta version for Windows. See the releases page on Github. I must stress this probably is indeed beta and could have a few bugs. However it might be worth trying.
In any case, if certbot on Windows doesn't work that doesn't matter for the certificate and private key you'll getting some other way: they work on every OS.
$ sudo -H ./letsencrypt-auto certonly --standalone -d subdomain.mydomain.com -d www.subdomain.mydomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for subdomain.mydomain.com
http-01 challenge for www.subdomain.mydomain.com
Waiting for verification...
Challenge failed for domain subdomain.mydomain.com
Challenge failed for domain www.subdomain.mydomain.com
http-01 challenge for subdomain.mydomain.com
http-01 challenge for www.subdomain.mydomain.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: subdomain.mydomain.com
Type: dns
Detail: No valid IP addresses found for subdomain.mydomain.com
Domain: www.subdomain.mydomain.com
Type: dns
Detail: No valid IP addresses found for www.subdomain.mydomain.com
As I said, My server is not up right now. I used “Certbot” too:
$ sudo certbot certonly --standalone --preferred-challenges tls-sni -d subdomain.mydomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
And:
$ sudo certbot certonly --standalone --preferred-challenges http -d subdomain.mydomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for subdomain.mydomain.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. subdomain.mydomain.com (http-01): urn:ietf:params:acme:error:dns :: No valid IP addresses found for subdomain.mydomain.com
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: subdomain.mydomain.com
Type: None
Detail: No valid IP addresses found for subdomain.mydomain.com
If you can't query a real Internet DNS server and get a valid IP for that name, you won't be able to use HTTP authentication to obtain a cert for it. HTTP authentication requires reaching the site over the Internet - but there is no IP to reach...
Try this command and see for yourself: nslookup subdomain.mydomain.com 8.8.8.8
Thus, My server must be on.
How about “–preferred-challenges tls-sni” and “–preferred-challenges http” ?
All websites by default using “http” protocol. Why the Certbot offer http?
I want my website use “https” thus I must use “-preferred-challenges tls-sni” option?
First: You can’t validate via HTTPS before you have HTTPS (sorry --standalone will do it for you).
Second. LE no longer supports validation via (normal) HTTPS.
[because of a security flaw in the way some hosting companies handle it]
So, you will need an HTTP server to get and renew your certs.
You can use cerbot --standalone to spin up a temporary HTTP server.
You can then use those cert(s) to make TLS/HTTPS enabled services - that is the end goal.
Yes*
if you use a real name [subdomain.mydomain.com won’t work].
If that name resolve to an IP that can reach an HTTP server that you control [that may require allowing port 80 through the firewall and/or port forwarding port 80 to the internal system]
[certbot can serve as an HTTP server that you control]
)