Create certificates manually without ACME client software

My domain is: rsb.at
My web server is (include version): Apache 2.24.x
The operating system my web server runs on is (include version): Ubuntu

How can I create a certificate without using Certbot or any other ACME client software?

I used ZeroSSL but they changed their policy and CA so that I have to recreate certificates from scratch.

Addition: I read around a little and learned two things:
a) ACME clients are mandatory (as they are supposed to be more modern)
b) there are several issues with Certbot (the recommended way to install certificates)

Conclusion: I will install certbot and read the source. That will reveal the manual way. If certbot proves to be stable in my situation, I might use the automation later.
Mayby providing a manual way would be helpful after all.

1 Like

Let's Encrypt offers the API, which is used by the software to get you the certificate. In case of ZeroSSL you still used the software, it was just running in your browser. You could for example grab the latest Crypt::LE Windows binary (single file, no installation required) and run it interactively as well (it can be also run in automated mode) with something like this to get the certificate for your domain:

le64.exe -email "contact@rsb.at" -key account.key -csr domain.csr -csr-key domain.key -crt domain.crt -domains "www.rsb.at,rsb.at" -generate-missing -live

More documentation can be found here. You can also pick any other client you like from the rather long list of those.

1 Like

@leader: Thanks for the prompt reply.
I use Mac as clients and Ubuntu as servers. No Windows I’m afraid and no Perl either.
I will search for some Python or Bash client to get me along.
Also thanks for the documentation hints

1 Like

Today a very popular client is https://acme.sh/, if you’re looking for a relatively self-contained client written in the Bourne shell.

...which was ACME client software, just software that ran on someone else's web site.

It has nothing to do with being more modern, as such. Rather, it's down to the design of Let's Encrypt. It's designed to be used only through automated means--you set up your client (whichever one you like, and there are lots to choose from), and it not only obtains the cert, it automatically renews it for you when necessary (and since the certs are only valid for 90 days, this is needed fairly frequently). Doing this means (among other things) that it's very unlikely you'll see a certificate expire, which is fairly common when it's a manual process.

I'm not a big fan of certbot myself (mainly due to the ridiculous amount of dependencies), but it works well enough for what it does. Assuming it's compatible with your environment, it would likely be fine. And you can run it in manual mode if you like, so it won't make any changes or put any files anywhere other than the certificate files.

1 Like

@danb35: thanks for your reply.
I do understand that ZeroSSL was a web frontend to Letsencrypt and now isn’t any more.

I reviewed some of the ACME clients but decided for Certbot. However, after using it, I still think that I want to find a more suitable solution (stability, functionality and user friendliness).

btw. Which dependencies were you talking about (I presume you mean additional python libraries which looked OK to me)?

Yes, right now the current Certbot in Ubuntu has

Depends: python3-acme (>= 0.26.0~), python3-requests (>= 2.4.3), python3-configargparse (>= 0.10.0), python3-configobj, python3-cryptography (>= 1.2), python3-josepy, python3-mock, python3-parsedatetime (>= 1.3), python3-pkg-resources, python3-rfc3339, python3-tz, python3-zope.component, python3-zope.interface, python3:any (>= 3.3.2-2~)

That's kind of a lot in comparison to other ACME clients. (I think I was personally responsible for introducing the configobj and parsedatetime dependencies—sorry!)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.