What is the proper setup and use of Let's Encrypt certs with PHP?


#1

I need to provide a certificate to stream_socket_client(); while making a connection. It seems I need to provide a fullchain or combinaiton of cert, key and cacert.

I’m using lets-encrypt so my keys are located in /etc/letsencrypt/archive/domain/, but there are symlinks in /etc/letsencrypt/live/domain/.

I got the connection working by manually concatenating cert files and copying newly formed fullchain into my php working directory: /var/www/.

I’m sure that’s not the proper way of doing things. Once my letsencrypt cert renews I’ll need to do the concatenation and file copying all over again. What is the actual proper way of creating and using a fullchain cert in this case?

PS, I also asked this on ServerFault, if anyone is interested in answering there.


#2

What’s your actual goal here? You’re referring to a stream_socket_client(), a client

The certificates as issued by Let’s Encrypt are to be used for servers, not clients.

Can you explain more of what you’re doing in your project? :slight_smile:


#3

Sure thing, I’m trying to make a connection to an API that is requiring a certificate. The connection is made over ssl.

Just to get the connection working I’ve had to do the aforementioned manual cert concatenation and move to working PHP dir. But I am not sure if that’s secure nor does it feel like the proper procedure since it’s so manual.


#4

So you’re using certificate based client authentication?


#5

I guess. This subject is a little new to me so I apologize for not using proper terminology.

My current understanding is that the ssl connection wants fullchain.pem for initial connection and handshake. Then the API also uses username and password to make calls.

Either way, it’s working after I did all of the manual things. Ideally I would just like to be able to point my script at Let’s Encrypt certs in their natural location somehow. So that if they update I don’t need to manually concatenate and move them again.


#6

I’m still not sure if I follow… You’re trying to set up a client, but are also using Let’s Encrypt certificates? On the server?

Because Let’s Encrypt (LE) certificates cannot be used for client authentication, as LE only offers Domain Validated certificates. I.e., for FQDN’s. Not for users/email/clients.

Therefore, the only useful and only possible use for LE’s certificates is on the server side, not the client side.

I’m glad you’ve got it working now, but I’m not sure if things are done correctly now, mostly because I can’t understand what you’re actually trying to do. I.e., does the server use Let’s Encrypt? Are you really trying to do certificate based client authentication?


#7

Part of the API docs says “All clients must use a publicly verifiable certificate.” I’m making a connection from my server to the API. So my understanding is that the API wants LE’s certs to make sure my originating connection is secure.

If it helps, here’s an actual example of making a connection with the library I use.


#8

In the example, the API which is connected to, is the Finnish registry and they provide an EPP interface manual (PDF), which says:

The caller must have a valid certificate that should be saved into the calling system. SSL certificate is attached to the valid EPP user and each request is authorized via an account / certificate combination.

That’s actually kinda weird… As far as that text is concerned, every single type of certificate can be used: Let’s Encrypt, self-signed, doesn’t really matter, as long as you upload the certificate in question to their ‘calling system’, so it can be verified.

I don’t know if you’re using that Finnish registry too? If so, if I were you, I’d opt for a self-signed certificate with a long life time (multiple years or so) for purely the EPP authentication. There’s no benifit in using, euh, lemme rephrase that, abusing a Let’s Encrypt certificate for that purpose :slight_smile:


#9

Thanks man, I’ll try that. Thanks for sticking it out :slight_smile:


#10

Hi sergchernata

this API requires SSL certificate to authenticate instead of user name and password or API key

note: you only need the certificate and not the private key or the intermediates

FTP over SSL (FTPS) is another example where SSL certificates can be used for authentication.

From your point of view run the normal process for gaining the certificate and then link the certificate only (not the intermediates) to your calls

Some example of how to do this:

Other things to note:

A) LetsEncrypt may not be the best certificates for this due to the 90 day validity. You need to check with the provider if they are happy to re-enter the certificate every 90 days
B) do not share any private keys (they are not needed)
C) The provider can download the intermediates from the LetsEncrypt page: https://letsencrypt.org/certificates/


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.