How to use LE on devices that cannot run webservers


#1

Ok after reading the documentation, as well as doing a test installation on a Linux server. I am unable to generate a certificate. The problem being, I am trying to create a certificate for an F5 virtual server that I cannot run a webserver on. I also do not have access to my company’s DNS server.

Other forum topics state you can run LE on a linux server and then import the cert to whatever device you need. However there is no documentation on how to do this. I am running into the issue where my web address is being challenged, but since it doesn’t have a webserver and cannot run LE, how do I do find the challenge file after I have created the CSR on my linux machine? I think I need to then place the challenge file in my domain I am trying to validate… I think.

This seems to be a common problem, by really no comprehensive answer for. Can someone help?


#2

Here are the instructions - but if you can’t modify DNS you will probably have some trouble.

https://letsencrypt.readthedocs.org/en/latest/using.html#manual


#3

Currently you simply need some kind of way of providing a file on port 80 or a special certificate on port 443 via TLS SNI on the host your domain resolves to, there’s no way around it. In the hopefully not too distant future another validation method will be creating a TXT DNS record inside your zone.

If you can provide none of this, it’s unlikely that you’ll ever be able to use Let’s Encrypt, sorry.


#4

Ok I think I understand. But how do you get the challenge file from the Linux box to my webserver. I mean, where is this file located? I see the request being made to the webserver looking for the challenge file, but the linux LE client never told it had generated this challenge file…


#5

Have a look at the webroot mode, the standalone mode or the manual mode. They allow you to specify the document root, run its own server or instruct you on what to put where respectively.


#6

ok let me take a look


#7

ok I am looking through lets encrypt installation directory on my linux machine. But I don’t know what I need to host in:

myserver.com/.well-know/acme-challenge/

What is the challenge file? Where is it located in the linux machine. I am following the Standard and/or manual method. I don’t think webroot will work for me as I am not running an apache server with the website hosted on my linux machine. My linux machine is not hosting the website, it is hosted on an iis server. My understanding is the IIS server just needs to have whatever the challenge file is in the /.well-known/acme-challenge/ path


#8

Yes that’s right. I never ran it myself but I would expect the manual mode to tell the name and the content of the file you should create. It’s not static but returned by the server as you request authorization for a domain.


#9

I believe manual mode gives you commands to start a standalone server. The contents to place in the directory are likely in the command. I’ve not tried the manual method yet, so I’m just going on what I’ve seen.


#10

When I try to run manual mode I receive this in the linux console:

Command: ./letsencrypt-auto certonly --manual

Updating letsencrypt and virtual environment
dependencies…

Running with virtualenv:
/root/.local/share/letsencrypt/bin/letsencrypt --manual

Too many flags setting
configurators/installers/authenticators ‘standalone’ -> ‘manual’

Am I missing something, because the only thing the User manual says to do is run this command and everything should work. There is no other “official” documentation in the User Manual…


#11

Reinstalling and trying again…


#12

I just issued a manual certificate, here’s the command and what it looks like:

~/letsencrypt(branch:master) » ./letsencrypt-auto certonly \
\   -a manual \
\   -d mydomainhere \
\   --server https://acme-v01.api.letsencrypt.org/directory
Updating letsencrypt and virtual environment dependencies.......
Running with virtualenv: sudo /home/username/.local/share/letsencrypt/bin/letsencrypt certonly -a manual -d mydomainhere --server https://acme-v01.api.letsencrypt.org/directory
[sudo] password for username:

Make sure your web server displays the following content at
http://mydomainhere/.well-known/acme-challenge/Nmx4bh80ug0hE2RNHGwiU8DGCqyDk8JL425sajwOJY4 before continuing:

Nmx4bh80ug0hE2RNHGwiU8DGCqyDk8JL425sajwOJY4.tvtHjCJm_T_2PKYEEFgaltNUqW3p2NEO4nsTefQ1fv8

If you don't have HTTP server configured, you can run the following
command on the target server (as root):

 **Curses screen with notice about recording IP removed**

Press ENTER to continue

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/mydomainhere/fullchain.pem.........

#13

Ok we have it, let might write a short guide:

After installing Git and Let’s Encrypt:

In Dirextory: ~/src/letsencrypt# Command: ./letsencrypt-auto certonly --manual --text

(we specified --text to get rid of the blue screen stuff)

The output we recieved is:

Please enter in your domain name(s) (comma and/or space
separated) (Enter 'c’to cancel): access.ourwebsite.com

Are you OK with your IP being logged? Yes

Output:

Make sure your web server displays the following content at

http://access.ourserver.com/.well-known/acme-challenge/B43rMQ7uHOzoOLIddYeTuxpHDF-S_phbNaD123Skl66
before continuing:

If you are doing a manual installation and running a webserver somewhere else, like in IIS:
Then you will make a copy of the on-screen instructions and opened a 2nd console window and do the following:

mkdir -p /tmp/letsencrypt/public_html/.well-known/acme-challenge
cd /tmp/letsencrypt/public_html

printf “%s” (whatever our challenge code was)

$(command -v python2 || command -v python2.7 || command -v
python2.6) -c
“import BaseHTTPServer, SimpleHTTPServer;
s = BaseHTTPServer.HTTPServer((’’, 80),
SimpleHTTPServer.SimpleHTTPRequestHandler);
s.serve_forever()”

BEFORE PRESSING ENTER: We had opened WinSCP and had to manually enter the path /tmp/letsencrypt/public_html/.well-known/acme-challenge because you cannot browse through winscp to this directory as it is hidden.

You then see your challenge files. These files need to be copied to your ISS server:

In our case we had an IIS server running on port 80: access.ourserver.com and created the virtual directory /.well-known/acme-challenge and placed the challenge files in that path.

THEN in the linux console you hit Enter to continue and you should see:

Output:

IMPORTANT NOTES:

- Congratulations! Your certificate and chain have been
saved at /etc/letsencrypt/live/access.ourserver.com/fullchain.pem. Your cert will expire on 2016-03-03. To obtain a new version of the certificate in the future, simply run Let’s Encrypt again


… Some text ommitted

lrwxrwxrwx 1 root root 42 Dec 4 19:22
cert.pem -> …/…/archive/access.ourserver.com/cert1.pem
lrwxrwxrwx 1 root root 43 Dec 4 19:22
chain.pem -> …/…/archive/access.ourserver.com/chain1.pem
lrwxrwxrwx 1 root root 47 Dec 4 19:22
fullchain.pem -> …/…/archive/access.ourserver.com/fullchain1.pem
lrwxrwxrwx 1 root root 45 Dec 4 19:22
privkey.pem -> …/…/archive/access.ourserver.com/privkey1.pem

You will then again need to manually browse in winSCP to this directory as it is hidden and you then have your free certificate

Sorry for the bad editing, but all the necessary info should be here: With this we were able to accomplish a few things. A manual certificate creation. A IIS server certificate installation, and an F5 device certificate installation.

What we did on our F5:

We have an F5 running on https://access.ourserver.com running on port 443 obviously. And on an internal network we just started up a window server and added the IIS service to host a webpage.

In the F5 we created a virtual server named access.ourserver.com with the same IP as our webtop link that accesses the internal network172.25.1.100 : (example: if we go to https://172.25.1.100 we arrive at our webtop and start a remote session to internal server at 192.168.1.x.) The virtual server is on port 80 and we created a pool with the internal address 192.168.1.10:80 for our webserver)

Also note: 172.25.1.100 and access.ourserver.com resolve to the same F5 webtop

By doing this we were able to resolve http://access.ourserver.com to our IIS landing page. In IIS, as I said we added the virtual directory /.well-know/ and added the directory /acme-challenge/ and added the created challenge file into this directory.

Sorry for rambling and the incoherentness of this post.


#14

And thank you all for the help. I hope this guide helps others clear up some things for others wanting to try this.