Is there a way I can just provide a CSR and get a cert manually?


#1

My web server is not a standard Apache server, so the certbot software won’t work. However the SSL certs used are Apache format. And I can generate a CSR from my server. That’s what I do when purchasing SSL certs from GoDaddy.

I know I need to manually redo this every so often with Let’s Encrypt until I figure out how to automate it. But in the meantime, is there some way I can manually submit my SSL request and get a cert in return? I can authenticate with files uploaded to my server as needed.

Thanks,

doug


#2

Yes, with a third-party service such as https://gethttpsforfree.com

Please read the warning of that post before: Web browser based ACME clients

And do not forget that Let’s Encrypt certificates are only valid for 90 days so you need to renew them manually every two months.


#3

Agh! I got all the way through all the steps to the very last step with no errors and at the very last generate cert step this error came up:

Error: Finalizing failed. Please start back at Step 1. { “type”: “urn:ietf:params:acme:error:malformed”, “detail”: “Error finalizing order :: signature algorithm not supported”, “status”: 400 }

Agh!

I think I’ll go to sleep for tonight.


#4

Maybe that answer can help? https://github.com/diafygi/gethttpsforfree/issues/62#issuecomment-187401265


#5

Howcome? Certbot can also run without direct Apache integration.


#6

For example, with certbot certonly --webroot (if you can serve static files with your existing non-Apache web server) or certbot certonly --standalone (if you can stop your existing web server temporarily).


#7

I didn’t realize this. I will give it a try. If it’s possible to do with simple shell commands like that, maybe that’s also a guide to help me integrate certbot into my server so it can do it automatically later on. I’ll give it a try and report back. Thanks.


#8

I was trying to install certbot on my server with this command:

wget https://dl.eff.org/certbot-auto

The response was this:

–2019-02-06 23:03:19-- https://dl.eff.org/certbot-auto
Resolving dl.eff.org… 2a04:4e42:c::201, 151.101.48.201
Connecting to dl.eff.org|2a04:4e42:c::201|:443… connected.
OpenSSL: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
Unable to establish SSL connection.

Sorry to be dumb, but is that a problem on the certbot side, or something I need to change on my server?

Thanks,

doug


#9

How old is your Linux distro?

curl -V
lsb_release -a

There’s also different browser ACME client called ZeroSSL that might also help you. Unlike gethttpsforfree, it doesn’t require running any openssl commands. If you have an ancient OpenSSL verison (like 0.9.8), that could explain your earlier signing error.


#10

The distro is old. The kernel is kept up to date though.
Updating distros is so hard!

curl -V reports:
curl 7.21.0 (i686-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18

lsb_release -a reports it is Ubuntu 10.10.

Yes, yes, I know we probably should have started with Ubuntu 10.04 and then regular upgrades would have been easier. But now it’s a nightmare.

I will try ZeroSSL for now. This is just a dev server I’m trying it on. But I have like 30 other servers, all with the same distro, but up-to-date kernels.

Thanks,

doug


#11

The ZeroSSL site looked so simple! Much less steps.

Unfortunately at the very last step it reported an “unexpected error” even though I was able to confirm that the /.well-known/acme-challenge link worked and showed the correct text.

What to do now I wonder.


#12

In this case, some other software on your system is likely to have known and exploitable vulnerabilities. For example, a majority of the non-kernel vulnerabilities at https://usn.ubuntu.com/ that were reported after the Maverick EOL in April 2012 may still apply to your system.


#13

I have a theory about what’s going wrong. I’m going to try to upgrade something and see if that helps. Will report back!

doug


#14

ZeroSSL worked!

I thought at first the problem might have been that our non-standard’s web server hadn’t been upgraded to the newest version in quite a while, so the TLS version was old. So I upgraded that. That should be upgraded anyway.

It still wasn’t working, so I decided to let ZeroSSL generate the CSR instead of having my server do it. That worked right away, and my site is showing a nice “locked” icon when I visit. Yay!

One odd thing this last time. For the very last try I was not asked to update the /.well-known/acme-challenge file.

Anyway, it worked.

Thanks everybody!

Our next step is to somehow automate this with our non-standard server so we can do this for all our sites!


#15

Although I am glad to hear you got a cert, that is a very manual method.
Perhaps you can update the wget only.
Or use curl to download it.
Or grab that (certbot-auto) file on another system and move it in via any other method available to you.
Certbot-auto should still work (even with openssl 0.9.8)
[I can’t say for how long - but it should work today]


#16

I will take a look and try. Thanks.


#17

I doubt you’ll have much luck with certbot-auto – if it even knows how to handle 10.10, it installs Python packages from PyPI, which coincidentally uses the same CDN and same modern TLS configuration as https://dl.eff.org/.


#18

Well that could be a real catch-22…

Doug, do you have any other (more updated) system on that same network?
If so, you may be able to use it to get the cert or even better:
To proxy* all your service requests.
[which could breathe some life into that old system - providing it modern TLS connections and security]

*Given that the service can be proxied.
For that I would look into NGINX - it seems to proxy just about anything these days!


#19

Yeah, a general problem with using an operating system which has reached end-of-life from the OS vendor, apart from the likely presence of security vulnerabilities, is that lots of software is no longer available for that system. So Certbot uses lots of dependencies which may not be officially available for 10.10, even apart from the issue that @mnordhoff pointed out that 10.10 may itself not be able to understand how to interact with the servers from which the dependencies would be downloaded!

The Ubuntu folks have tried to make this easier by making LTS releases which are individually supported for longer—the most recent LTS release is officially supported for 10 years, whereas the non-LTS releases are now officially supported for less than 1 year apiece!


#20

On the same network (different IP address, different host machine) I do have other servers running more updated versions of Ubuntu.

My web server itself, the “non-standard” server that uses the Apache-compatible certs, does use modern TLS connections and security. We do regularly update the OpenSSL package it uses, and it supports all the latest TLS security.

It’s just the host server machine itself.

The web server software does provide modern TLS connections though. Otherwise all the web browsers and APIs we connect to would complain.

So it’s a problem in the Linux shell apparently.