How to generate a "crt" file with Let's Encrypt?

Hi all !

Here is my question:

I'd like to obtain a "crt" Let's encrypt Certificate, but not for website purpose.
The aim is to "certifiate" a https Proxy.

Is it possible ?

Thanks for your answers.

Olivier

Yes, what operating system are you on and which https proxy server are you using? Certbot can probably do it for you, you may need to use DNS validation if http validation won't work for you.

4 Likes

With what purpose? You can't use LE certs to sign other certs on the fly for outgoing HTTPS connections so your proxy can inspect the connections.

5 Likes

See:

FAQ - Let's Encrypt

What services does Let’s Encrypt offer?

Let’s Encrypt is a global Certificate Authority (CA). We let people and organizations around the world obtain, renew, and manage SSL/TLS certificates. Our certificates can be used by websites to enable secure HTTPS connections.

Does Let’s Encrypt issue certificates for anything other than SSL/TLS for websites?

Let’s Encrypt certificates are standard Domain Validation certificates, so you can use them for any server that uses a domain name, like web servers, mail servers, FTP servers, and many more.

3 Likes

hello, I understand that LE will not provide a Certificate for a https proxy.

Thanks for your reply, and if anyone has an advice for another brand delivering certificates thanks for your answer

So long !
Olivier

1 Like

You still haven't told us the actual intended use of the certificate..

4 Likes

Certificate for what kind of proxy? Forward or reverse?

3 Likes

Hi again:

I am setting up a proxy https for child protection purposes, and the proxy (Squid) needs a CRT file. When I set up an auto-signed certificate (OPENSSL), the browers (Safari for example) refuse to pass through this "anonymous" certificate. This is why I'd like to test with a "real" certificate, free or not.

Thanks again for your time

Olivier

Squid Https Proxy..

~WRD000.jpg

If you control the systems that will be using the proxy, you can provide your own self-signed cert and simply add it to each of those clients' certificate trust stores.

5 Likes

A real certificate from Let's Encrypt isn't going to help because whichever cert you get it's not going to match the domain being requested by the browser [for instance, you can't use it to get a cert for google.com because you don't control google.com at all]. So the user will still get browser errors (because you are trying to be a Man-In-The-Middle).

As @rg305 suggested, if you need to dynamically intercept https requests and still have the browser trust them then your proxy needs to be able to generate certificates on demand as it encounters each new domain and you need to distribute the proxies root certificate (which is issuing all these fake domain certs) to all your clients (e.g. your school computers) and install in the respective root CA trust stores.

If you didn't need to do all this then anyone could just run a fake wifi hotspot with a proxy and intercept all the https traffic. In the old days it was indeed possible to do that, but not anymore.

5 Likes

Hello All, and thanks Webprofusion / rg305 for your answers.

At this point, my proxy gives a certificate (squid.crt) which is installed on the computers, or phones generated by openssl.

When I use chrome on the PC, no problem, But when I use Safari, on a iPad. Apple refuses to work with this "untrusted" network.

My idea was first to try with let's encrypt, and if no possible to buy a certificate (globalsign, verisign...?)

..but I am not sure of the result..

Thanks again anyway

They have different locations where they store their trusted root certs.
You will have to add your "squid.crt" into all their locations.

5 Likes