How do I generate the Let's Encrypt certificate and key on my own device? [More info inside]


#8

Hi @_1uke,

When several sites are hosted on the same server, it can be useful to get a single certificate that covers all (or at least several) of those sites’ domains.

Whenever you run certbot certonly, you’ll get a single certificate. If you want that new certificate to cover several domains, all of those domains should be listed with -d parameters. If you want them instead to be covered by separate certificates, you’ll need to run certbot certonly several times.

I’m not using your terms “URL” or “website” because the domain is only one part of the web site. The certificate directly covers domain names, not web sites (for example, in https://www.example.com/foo and https://www.example.com/bar, the domain name is www.example.com).

To learn more about how web servers can host multiple HTTPS sites on the same IP address, you should read about server name indication (SNI) and subject alternative names (SAN). The -d parameters to a single Certbot command provide domain names that will be listed as SANs in the resulting certificate (up to a maximum of 100 names).


#9

Hi @schoen,

I tried to generate a certificate and keys and on both my Mac and on my Raspberry Pi but I seem to be running in to problems and I’m not sure what the issue is.

I was hoping you would take a look at the screenshots below and guide me in the right direction

(Above screenshot from Mac)


#10

(Above screenshot from Raspberry Pi)


#11

Hi @_1uke, the command that you used is wrong in three ways:

  • -d takes a domain name, not a URL. Instead of -d http://example.com/, you should write -d example.com
  • -w has to point at the directory that your web server is serving pages out of…
  • … which is only applicable when your web server is running on the same computer as Certbot, which is not the case here, so --webroot can’t be used at all. Instead, you should be using --manual when getting the certificate on a separate computer from the web server.

An example might look something like

certbot certonly --manual -d example.com -d www.example.com

to get a certificate in this “manual” way to cover example.com and www.example.com.


#12

For the Raspberry Pi case, I don’t remember if Certbot is available in the repositories or not, and it might be called by the older name of letsencrypt if it is. So you could try

  • sudo apt-get install certbot (without the -t jessie-backports)

and if that doesn’t work

  • sudo apt-get install letsencrypt

and if that doesn’t work, follow the example at https://certbot.eff.org/#pip-other, except with the --manual form that I mentioned above instead of --webroot.


#13

Hi @schoen,

Thanks again for continuing to support me and help me get this figured out.

I feel like we are making progress but I keep seeming to stumble at these last few challenges.

I just ran the script that you prompted me to run but it is returning an error again.

Please could you take a look and let me know what the problem is. (See image below).

Hopefully we will have this figured out soon :slight_smile:

Thanks again for helping me work this out :blush:


#14

You ran “certbot …” rather than “sudo certbot …” which would run it with root permissions. can you try running again with “sudo” in front of the command (it will prompt for your password )


#15

Thanks for getting back to me @serverco and @schoen

I think we are there but I have a few quick follow up questions and I just wanted to check these things out with you.

This questions relate to the screen shots,

  1. Do I have to provide an email address? I am quite happy to mark my calendar to remind myself and don’t need certbot to remind me.

  2. My inbox is pretty full already, is it worth me getting updates from the EFF I would be happy to regularly check their website to see what the latest news is.

  3. This is my biggest concern I have always been told it is a very bad idea to share your IP address. Should I really be agreeing to share my IP address publicly? Anything I need to know before I go ahead and do this or is it better avoided?

Thank you for helping me understand this last few technicalities :slight_smile:


#16

No. :slight_smile:

Well. There are thousands of websites and other services that know your IP addresses. And there are only 4 billion IPv4 addresses, so anyone can guess yours plus or minus 2 billion. :stuck_out_tongue_winking_eye: It’s up to you whether associating your device’s public IP address with your certificates is considered acceptable. It’s unlikely to be an issue for most people, especially if your IP changes regularly anyway, but it is a consideration if you’re a high-value target of some sort.

At the moment, while Let’s Encrypt asks for permission to share your IP address, they do not yet do it.


#17

As the thread you linked to clarifies, this warning appears when using manual mode because the IP address of (what might be) your personal computer gets logged by Let’s Encrypt as the certificate requestor, and might potentially be published in the future as part of anti-fraud measures. When you are using Certbot or other clients directly on your web server, this warning doesn’t appear because your web server will usually already be associated with its public address by the DNS.


#18

Hello

Thank you to you all for replying to me and especially to you @schoen, for sticking with me and answering all my questions. This is a great help as you are helping me understand things with greater clarity.

Update

You would be right I would be using my person computer.

Am I correct in thinking that it could be a bad thing to have the IP my personal computer logged and potential made public?

Any thoughts on what the potential risks and dangerous are?

Thanks again for your continued help and helping me do everything correctly :slight_smile:


#19

Hi @_1uke,

Having your IP address publicly disclosed is sometimes a risk in terms of being a target for DDoS attacks (if criminals dislike you and want to prevent you from using the Internet), in terms of people trying to hack your computer (though this isn’t the largest vector for hacking attempts today, as opposed to things like e-mail attachments), and in terms of web site operators being more easily able to identify you in their logs even if you don’t log in. It can also in some cases reveal your physical location (companies are trying to make databases that perform this mapping); if revealed regularly, it also has significant privacy consequences because people can tell when you were in place X as opposed to place Y, and when two particular people were or weren’t in the same location together. Those are the main risks that I’m aware of.

As discussed in the other thread, Let’s Encrypt currently doesn’t publish the IP addresses that certificates are requested from, but might decide to do so in the future to enable some kind of anti-fraud analysis and research to help people discover whether or how fake certificates are being requested. So the disclosure risk is also currently hypothetical, but may become real in the future.


#20

@schoen, thanks again for helping me understand what is happening and how it could possibly impact me.

I ended up using https://zerossl.com/ to generate my certificate.

Do you know if this service logs my I.P. address with a view to possibly making it public? It wasn’t mentioned as I went through the process so I am assuming it doesn’t.

Anything else I should know about zerossl.com ?


#21

Hi @_1uke,

ZeroSSL may have its own privacy policy but if Let’s Encrypt makes addresses from its logs public, the address that would show up in this case would be ZeroSSL’s, not yours.

The biggest thing to know is that there is no automated renewal in this case and so you’ll have to repeat the process every 90 days.


#22

@_1uke, if you check ZeroSSL TOS (the link is on the first screen of the SSL Certificate Wizard and you can’t proceed until you actually confirm your acceptance of it), you can see that it includes Privacy Notice section, which is rather detailed. To put it simply - there is no personally identifiable information collected or any sort of information that would associate your IP with your certificates or domains. As explained on the site, it is an in-browser application and the server is not aware of what you are doing - even errors Let’s Encrypt API returns are only seen by yourself in your browser. Your IP would be in the normal web-server logs, like with any web site out there, but again - there is no personally identifiable information collected at all. I hope that clarifies it. If you have any further questions, you can use the contact form on ZeroSSL to get in touch.


#23

If that’s the case, the Let’s Encrypt API servers do see your IP address, and it would potentially be in Let’s Encrypt’s hypothetical future public logs, even if ZeroSSL does nothing to intentionally expose it themselves.


#24

That’s right—thank you both for the correction! (So possibly ZeroSSL ought to warn users about this.)


#25

Well, if Let’s Encrypt is ever to have a plan to publish that sort of logs, I’m sure there will be some sort of advance announcement and changes to SA. If that ever happens, that will certainly be reflected :slight_smile:

As for the overall concern of having IP known to some service - nowadays you can observe that a freshly installed and booted up server (or any device exposed to a public network) will get scanned in a first few seconds of uptime. Basically the only way to NOT have your device discovered is not to have it connected to a public network (even better - not to have it connected to any network at all). If that is not an option, you can always try to play with ephemeral IPv6.


#26

@leader, I think the privacy concerns are somewhat distinct from the hacking and scanning concerns, much as a wardialer or telemarketer can call every telephone number in an exchange (and indeed, there are still illicit telemarketers who sometimes do!), but people can still have unlisted telephone numbers, and back in the IP address context especially not want others to be able to infer things like when they personally are home or away, or who is visiting or staying at their home.

But I would definitely agree that people are wrong to think that they can easily hide the existence of Internet servers or services just by not mentioning the addresses to anybody. :slight_smile:


closed #27

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.