Using Let's Encrypt on localhost

I haven’t been here in a while. Quite a while ago I tried using Let’s Encrypt on my AWS Lightsail server and had a hard time with it. I eventually gave up and have used a commercial (low priced) cert for the past few years. It has been working well. I have occasionally run into some issues with while developing and RapidSSL (who I bought it from) has been useless. There typical answer is “ask the developer”, which is me.

Now I have purchased an Ubuntu laptop where I am hoping to do some additional development on my webapp locally. The uploading to AWS to develop was killing me! So my question is

  1. Are there instructions specifically for Ubuntu 18 users for LE? I have found in my 1.5 year journey (with much pain due to using Bitnami) that I can often find instructs for Linux but the directories in the instructs are named slightly differently from my “stock ubuntu” configuration. This means I need to improvise which leads to hours and hours of trial and error, and frustration.

  2. Will LE work without a domain, and if not, how do I create a domain for my laptop’s localhost server? I clearly have a domain (or two) that I use with AWS, but I sincerely don’t want to break my up and going AWS site through wrong headed trial and error. If it can’t be done on localhost, just say that and I’ll start saving the change in my pocket to buy another cert (if I have to), so I can continue testing. From my last experience with LE I know that you guys are superhelpful and knowledgeable and I want to make sure that what I am trying is possible before I pull the “rest of my hair out” trying it.

Thanks, Rich

Hi @richb201

if you want to use a public trusted certificate, you need a public, worldwide unique domain name. Letsencrypt must check if you control the domain. Doing that via dns-01 validation you don’t need a public visible webserver.

But if you are the only user of that domain: Create a self signed certificate and an exception in your browser.

To develop things: If you have a public visible website, create a subdomain dev.yourdomain.com, then a certificate with that name, then install the certificate local and add a hosts - entry dev -> 127.0.0.1

Thanks.

But if you are the only user of that domain: Create a self signed certificate and an exception in your browser.

That would be perfect! Do you know of any instructions of how to do that on Ubuntu? The only reason I need ssl on my personal server is because Oauth2 requires it!

Rich

If you have a standard-installation with an Apache, there should be a self signed certificate.

Searching

apache self signed certificate

there are a lot of informations.

Thanks. I did the search you recommended. The main issue I am having is that when creating the self signed cert I am required to give a Common Name, which should be the PUBLICALLY ACCESSIBLE IP address or domian. As I said this is localhost, 127.0.0.1. There is no public access. I am not sure if Common Name is just a placekeeper or it actually must be communicated with? If it must be communicated with from the outside world, I am not sure how to do that?

Then use localhost.

You can give your server a (not public) domain name (myserver.local), then myserver.local is your CommonName.

Then you can use

https://myserver.local/

to connect.

A self-signed certificate can have any value in the CN; it doesn’t need to be validated or confirmed by anyone else. It’s valid to create one for localhost.

Thanks. I will try that this morning.

Tried it and am getting NET::ERR_CERT_AUTHORITY_INVALID. I have the following in default-ssl.conf

	SSLCertificateFile	/etc/ssl/certs/ssl-cert-snakeoil.pem
	SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

These are the two standard Ubuntu files. I have these two file in etc/ssl/private

ssl-cert-snakeoil.key
apache-selfsigned.key

and the .pem file is in etc/ssl/certsm just like it should be. When I look in

richb201@richb201-XPS-13-9370:~$ journalctl | tail
Apr 21 10:58:19 richb201-XPS-13-9370 systemd[1]: Stopped The Apache HTTP Server.
Apr 21 10:58:19 richb201-XPS-13-9370 systemd[1]: Starting The Apache HTTP Server…
Apr 21 10:58:19 richb201-XPS-13-9370 apachectl[6222]: AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1. Set the ‘ServerName’ directive globally to suppress this message
Apr 21 10:58:19 richb201-XPS-13-9370 systemd[1]: Started The Apache HTTP Server.
Apr 21 10:58:19 richb201-XPS-13-9370 polkitd(authority=local)[957]: Unregistered Authentication Agent for unix-process:6207:318402 (system bus name :1.153, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Apr 21 10:58:30 richb201-XPS-13-9370 sudo[6232]: richb201 : TTY=pts/0 ; PWD=/home/richb201 ; USER=root ; COMMAND=/bin/journalctl -xe
Apr 21 10:58:30 richb201-XPS-13-9370 sudo[6232]: pam_unix(sudo:session): session opened for user root by (uid=0)
Apr 21 10:59:37 richb201-XPS-13-9370 sudo[6232]: pam_unix(sudo:session): session closed for user root
Apr 21 11:00:25 richb201-XPS-13-9370 sudo[6246]: richb201 : TTY=pts/0 ; PWD=/home/richb201 ; USER=root ; COMMAND=/bin/journalctl -xe
Apr 21 11:00:25 richb201-XPS-13-9370 sudo[6246]: pam_unix(sudo:session): session opened for user root by (uid=0)

What do I need to do to get this working?

That’s normal if it is a self signed certificate.

Now create an exception in your browser or client you use.

Now create an exception in your browser or client you use.
I am super confused. I can get into my website at https://localhost/sub_crud. It brings up a “not secure” with a triangle and an exclamation point. It also crosses out the https in the browser address window. If I click on the Not Secure-view site information it says that

the certificate has been verified (see the image). Not that this matters since my real issue is with my Extension communicating with Google’s server. Oauth2 REQUIRES that I use ssl on my server. At first I thought it was a problem with my Google credentials. How can I tell if my server is supporting ssl? Getting a message : NET::ERR_CERT_AUTHORITY_INVALID is not very comforting.

Add the certificate to your certificate store. Then you say: “It’s trusted”.

@richb201, a self-signed certificate is not automatically trusted by any software. It is, in fact, invalid by default. However, you can add trust to this certificate in a particular web browser (confirming that it’s the one that you personally intended to use for this purpose).

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.