Hello @Inyourbox,
Keep in mind that this common name issue should be solved on next letsencrypt client version 0.6.0 so maybe it’s worth to wait to renew your certs.
Anyway, to issue a cert using your own csr you should.
Summary
1.- Create your own private key.
2.- Create your csr file.
3.- Use letsencrypt-auto to request your cert using your previously created csr.
4.- Copy the key and issued cert (cert, chain and/or fullchain) to the right place to be used by your web server, mail server, etc.
Steps
1 & 2.- Both steps could be performed in just 1 step. In this example I will create a private key using 4096 bits and its name will be mydomain.tld.pem.key
. I will create a certificate request for domain mydomain.tld
and www.mydomain.tld
where mydomain.tld will be the common name. This csr request file will have the name mydomain.tld.der.csr
.
openssl req -sha256 -nodes -new -newkey 4096 -keyout mydomain.tld.pem.key -out mydomain.tld.der.csr -outform der -subj "/CN=mydomain.tld" -reqexts SAN -config <(echo -e "[req]\ndistinguished_name=mydomain.tld\n[mydomain.tld]\n[SAN]\nsubjectAltName=DNS:mydomain.tld,DNS:www.mydomain.tld")
You could check your csr file using this command:
openssl req -inform der -in mydomain.tld.der.csr -noout -text
3.- Use letsencrypt-auto to issue your cert using certonly and webroot.
/path/to/letsencrypt-auto certonly --text --non-interactive --email youruser@mydomain.tld --renew-by-default --agree-tos --csr mydomain.tld.der.csr --webroot --webroot-path /path/to/mydomain.tld/root/document
In case mydomain.tld
and www.mydomain.tld
don’t have the same document root you should use option --webroot-map
instead of --webroot-path
/path/to/letsencrypt-auto certonly --text --non-interactive --email youruser@mydomain.tld --renew-by-default --agree-tos --csr mydomain.tld.der.csr --webroot --webroot-map '{"mydomain.tld":"/path/to/mydomain.tld/root/document", "www.mydomain.tld":"/path/to/www.mydomain.tld/root/document"}'
Note: I recommend that you use first the letsencrypt-auto client using the --dry-run
option to check that all will work as expected, once you get no errors you could remove --dry-run
option. Also, you can try to issue your cert in staging server adding option --test-cert
before issuing it against production.
4.- If the process ended ok, you will get 3 files:
0000_cert.pem
is your new and signed certificate.
0000_chain.pem
is the Let’s Encrypt intermediate cert.
0001_chain.pem
is the full chain, it includes both files 0000_cert.pem
and 0000_chain.pem
Bear in mind that you already created the private key and should be there with name mydomain.tld.pem.key
Now you should configure your server (web, mail, imap, …) to point to the required files.
I hope this helps.
Cheers,
sahsanu