Key+public, next how do create valid signature?

please, i need to know how i can Sign this key to a valid certificate with letsencrypt.
I need this a valid signed Certificate for a running Postfix installation

here i have create now a Key.pem and Public.pem file
--> openssl genrsa -out key.pem 2048
--> openssl rsa -in key.pem -outform PEM -pubout -out public.pem

Please frendly asking how i can sign this two files so that are valid
and signed certificates.

meny thanks for possible help.
regards

1 Like

You will need to use the Let’s Encrypt API to request a certificate. See the following getting started guide:

4 Likes

Hello mcpherrinm
First let me thanks for your quick answer, yes i read now meny about Letsencrypt, certbot and acme.sh, thanks!

now for true, this cert that i need arnt any Webinterface this certificate i need for me
Postfix Server. i found meny interessting switches that i can use. But this
that i try to implement arnt running like me desire.

little bit missing to define the Key Size "4096" ? or i need add this settings to the mentoined ini file?

i try now this, so i was thinking that i can assume me own Public.Pem file
but this end's only in error message.
># certbot certonly --standalone --csr public.pem --manual
>> Failed to parse CSR file: /root/.acme.sh/rsa.caloro.ch/public.pem
>> Ask for help or search for solutions at https://community.letsencrypt.org.
>> See the logfile /tmp/tmp3uupbkp_/log or re-run Certbot with -v for more details.

2022-05-30 20:59:12,366:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2022-05-30 20:59:13,057:DEBUG:certbot._internal.main:certbot version: 1.27.0
2022-05-30 20:59:13,057:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/2035/bin/certbot
2022-05-30 20:59:13,057:DEBUG:certbot._internal.main:Arguments: ['--standalone', '--csr', 'public.pem', '--preconfigured-renewal']
2022-05-30 20:59:13,057:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry>>(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-05-30 20:59:13,067:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/snap/certbot/2035/lib/python3.8/site-packages/certbot/crypto_util.py", line 256, in import_csr_file
csr = load(crypto.FILETYPE_ASN1, data)
File "/snap/certbot/2035/lib/python3.8/site-packages/OpenSSL/crypto.py", line 2984, in load_certificate_request
_openssl_assert(req != _ffi.NULL)
File "/snap/certbot/2035/lib/python3.8/site-packages/OpenSSL/_util.py", line 69, in openssl_assert
exception_from_error_queue(error)
File "/snap/certbot/2035/lib/python3.8/site-packages/OpenSSL/_util.py", line 55, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.crypto.Error: [('asn1 encoding routines', 'asn1_check_tlen', 'wrong tag'), ('asn1 encoding routines', 'asn1_item_embed_d2i', 'nested asn1 error')]
During handling of the above exception, another exception occurred:

the other try
># certbot certonly --standalone --key-type rsa --cert-name rsa.caloro.ch

failed like the same error

yes this Domain www.Caloro.ch are in me hands, and i dont need to create a new cert for any new website.

thanks for possible little more help.
regards

1 Like

In the first post, you generated a "public.pem" using the openssl rsa command, which does not generate a CSR file, which is why you are getting confusing "parsing" error messages. To create a CSR yourself for whatever reason, that is the openssl req command.

But I would recommend allowing certbot/acme.sh to create the key and CSR for you, as that is the easiest approach: The OpenSSL command-line is somewhat tricky to use properly.

6 Likes

thanks, update, create with

certbot certonly --standalone --rsa-key-size 4096 --domain nmail.caloro.ch --key-type rsa --cert-name nmail.caloro.ch-rsa

successfuly, but the server say:

warning: key at index 1 in /etc/letsencrypt/live/nmail.caloro.ch-rsa/privkey.pem does not match next certificate
warning: TLS library problem: error:1426D121:SSL routines:ssl_set_cert_and_key:not replacing certificate:../ssl/ssl_rsa.c:1081:
warning: error loading private keys and certificates from:
/etc/letsencrypt/live/nmail.caloro.ch/privkey.pem
/etc/letsencrypt/live/nmail.caloro.ch/fullchain.pem
/etc/letsencrypt/live/nmail.caloro.ch-rsa/privkey.pem
/etc/letsencrypt/live/nmail.caloro.ch-rsa/fullchain.pem: disabling TLS support

1 Like

Are both RSA type?
Why are you using two certs?

2 Likes

After generating a CSR+KeyPair LetsEncrypt requires you to complete an authorization with a HTTP-01 or DNS-01 challenge. It will take you many hours, possibly days, to do this by hand. Even though you do not want a certificate for web use, the easiest way to obtain the certificate is for Certbot (or acme.sh) to handle the entire process for you - from creating the key and CSR, to spinning up a web server (or altering DNS records). You can then use that certificate and key pairing for Postfix. You will need to do this every 60-90 days, so having Certbot automate this is very important.

3 Likes