How to use Certbot with Pebble?

toc-rox · April 2, 2018, 5:10pm

I want to test Pebble by using Certbot. Pebble is running at “https://localhost:14000/dir” so that’s my test:

sudo certbot certonly --standalone -d freizeitkarte-osm.de --server https://localhost:14000/dir

Pebble rejects the connection:

2018/04/02 18:56:27 http: TLS handshake error from [::1]:58130: remote error: tls: unknown certificate authority

Pebble comes with:

~/go/src/github.com/letsencrypt/pebble/test/certs$ ls -la
drwxr-xr-x 5 klaus staff 170 29 Mär 15:45 localhost
-rw-r–r-- 1 klaus staff 1679 29 Mär 15:45 pebble.minica.key.pem
-rw-r–r-- 1 klaus staff 1115 29 Mär 15:45 pebble.minica.pem

~/go/src/github.com/letsencrypt/pebble/test/certs$ ls -l localhost
-rw-r–r-- 1 klaus staff 1139 29 Mär 15:45 cert.pem
-rw-r–r-- 1 klaus staff 1675 29 Mär 15:45 key.pem

Probably a security / key problem. Currently it’s unclear for me how I have to configure Certbot to use the right keys.

Klaus

Patches · April 2, 2018, 6:00pm

Your ACME server doesn’t have a valid SSL certificate. You need to add --no-verify-ssl to your certbot command to get it to ignore that.

toc-rox · April 4, 2018, 3:23pm

Hmm, my understanding is, that Pebble has this server certificate:

~/go/src/github.com/letsencrypt/pebble/test/certs$ sudo openssl x509 -in pebble.minica.pem -text
Password:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2657928050610294462 (0x24e2db7acf2c4ebe)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=minica root ca 24e2db
        Validity
            Not Before: Dec  6 19:42:10 2017 GMT
            Not After : Dec  6 19:42:10 2117 GMT
        Subject: CN=minica root ca 24e2db
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
...

Klaus

cpu · April 4, 2018, 4:28pm

That's the CA certificate that issued Pebble's API endpoint certificate. The leaf certificate used by the Pebble API endpoint is test/certs/localhost/cert.pem by default.

What @patches is saying is that since the Pebble CA certificate isn't in your system trust store you need to either:

Disable certificate validation in Certbot with --no-verify-ssl (icky, but maybe the path of least resistance for local testing)
Configure Certbot to trust the Pebble CA certificate by adding REQUESTS_CA_BUNDLE=<PEBBLE SRC DIR>/test/certs/pebble.minica.pem to the front of your certbot command line.

Hope that helps,

toc-rox · April 4, 2018, 6:06pm

Thanks ... the environment setting does what I'm was looking for:

sudo REQUESTS_CA_BUNDLE=pebble.minica.pem certbot certonly --webroot -w /var/www/freizeitkarte-osm.de -d freizeitkarte-osm.de --server https://localhost:14000/dir

Klaus

system · May 4, 2018, 6:18pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.