I want to test Pebble by using Certbot. Pebble is running at “https://localhost:14000/dir ” so that’s my test:
sudo certbot certonly --standalone -d freizeitkarte-osm.de --server https://localhost:14000/dir
Pebble rejects the connection:
2018/04/02 18:56:27 http: TLS handshake error from [::1]:58130: remote error: tls: unknown certificate authority
Pebble comes with:
~/go/src/github.com/letsencrypt/pebble/test/certs$ ls -la
drwxr-xr-x 5 klaus staff 170 29 Mär 15:45 localhost
-rw-r–r-- 1 klaus staff 1679 29 Mär 15:45 pebble.minica.key.pem
-rw-r–r-- 1 klaus staff 1115 29 Mär 15:45 pebble.minica.pem
~/go/src/github.com/letsencrypt/pebble/test/certs$ ls -l localhost
-rw-r–r-- 1 klaus staff 1139 29 Mär 15:45 cert.pem
-rw-r–r-- 1 klaus staff 1675 29 Mär 15:45 key.pem
Probably a security / key problem. Currently it’s unclear for me how I have to configure Certbot to use the right keys.
Klaus
Your ACME server doesn’t have a valid SSL certificate. You need to add --no-verify-ssl
to your certbot
command to get it to ignore that.
1 Like
Hmm, my understanding is, that Pebble has this server certificate:
~/go/src/github.com/letsencrypt/pebble/test/certs$ sudo openssl x509 -in pebble.minica.pem -text
Password:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2657928050610294462 (0x24e2db7acf2c4ebe)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=minica root ca 24e2db
Validity
Not Before: Dec 6 19:42:10 2017 GMT
Not After : Dec 6 19:42:10 2117 GMT
Subject: CN=minica root ca 24e2db
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
...
Klaus
cpu
April 4, 2018, 4:28pm
4
That's the CA certificate that issued Pebble's API endpoint certificate. The leaf certificate used by the Pebble API endpoint is test/certs/localhost/cert.pem
by default.
What @patches is saying is that since the Pebble CA certificate isn't in your system trust store you need to either:
Disable certificate validation in Certbot with --no-verify-ssl
(icky, but maybe the path of least resistance for local testing)
Configure Certbot to trust the Pebble CA certificate by adding REQUESTS_CA_BUNDLE=<PEBBLE SRC DIR>/test/certs/pebble.minica.pem
to the front of your certbot
command line.
Hope that helps,
2 Likes
Thanks ... the environment setting does what I'm was looking for:
sudo REQUESTS_CA_BUNDLE=pebble.minica.pem certbot certonly --webroot -w /var/www/freizeitkarte-osm.de -d freizeitkarte-osm.de --server https://localhost:14000/dir
Klaus
2 Likes
system
Closed
May 4, 2018, 6:18pm
6
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.