How to use Certbot with Pebble?


I want to test Pebble by using Certbot. Pebble is running at “https://localhost:14000/dir” so that’s my test:

sudo certbot certonly --standalone -d --server https://localhost:14000/dir

Pebble rejects the connection:

2018/04/02 18:56:27 http: TLS handshake error from [::1]:58130: remote error: tls: unknown certificate authority

Pebble comes with:

~/go/src/$ ls -la
drwxr-xr-x 5 klaus staff 170 29 Mär 15:45 localhost
-rw-r–r-- 1 klaus staff 1679 29 Mär 15:45 pebble.minica.key.pem
-rw-r–r-- 1 klaus staff 1115 29 Mär 15:45 pebble.minica.pem

~/go/src/$ ls -l localhost
-rw-r–r-- 1 klaus staff 1139 29 Mär 15:45 cert.pem
-rw-r–r-- 1 klaus staff 1675 29 Mär 15:45 key.pem

Probably a security / key problem. Currently it’s unclear for me how I have to configure Certbot to use the right keys.



Your ACME server doesn’t have a valid SSL certificate. You need to add --no-verify-ssl to your certbot command to get it to ignore that.


Hmm, my understanding is, that Pebble has this server certificate:

~/go/src/$ sudo openssl x509 -in pebble.minica.pem -text
        Version: 3 (0x2)
        Serial Number: 2657928050610294462 (0x24e2db7acf2c4ebe)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=minica root ca 24e2db
            Not Before: Dec  6 19:42:10 2017 GMT
            Not After : Dec  6 19:42:10 2117 GMT
        Subject: CN=minica root ca 24e2db
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)



That’s the CA certificate that issued Pebble’s API endpoint certificate. The leaf certificate used by the Pebble API endpoint is test/certs/localhost/cert.pem by default.

What @patches is saying is that since the Pebble CA certificate isn’t in your system trust store you need to either:

  1. Disable certificate validation in Certbot with --no-verify-ssl (icky, but maybe the path of least resistance for local testing)
  2. Configure Certbot to trust the Pebble CA certificate by adding REQUESTS_CA_BUNDLE=<PEBBLE SRC DIR>/test/certs/pebble.minica.pem to the front of your certbot command line.

Hope that helps,


Thanks … the environment setting does what I’m was looking for:

sudo REQUESTS_CA_BUNDLE=pebble.minica.pem certbot certonly --webroot -w /var/www/ -d --server https://localhost:14000/dir



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.