WSS with node.js on Dreamhost

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:designerscience.com

I ran this command:na

It produced this output:na

My web server is (include version):Apache 2.2.31

The operating system my web server runs on is (include version): Ubuntu 14

My hosting provider, if applicable, is:Dreamhost

I can login to a root shell on my machine (yes or no, or I don't know):No

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):Dreamhost's custom panel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):na

My site is fully hosted on a virtual private server by Dreamhost.com. They manage updating my certificates every four months. I have access to my certificates through the web panel, but not via SSH console or ftp. I am using a secure websocket client/server written for nodejs. (I have implemented my own messaging layer with it). I had been copying my certificates from the panel into a file and then puting them into a local directory accessible to my script. The method works fine. But too frequently I forget to update my certificate files & my wss fails. HTTPS works fine - my site works fine, I just need a way to automate updating my local copies (not root copies) of my wss certificates. I had been using openssl to generate unsigned certs for my first implementation & that worked fine until Chrome et.al. changed their level of tolerance.

Is there a programatic way I can ask LetsEncrypt for the equivalent of openssl certificates? Or just a couple of your signed .pem & .crt files I can store programatically? Like with an https get?

Hi @KaiserSoze

that's how Letsencrypt works. A public API.

Read

then select a client

and create your own certificate.

Checking your domain - https://check-your-website.server-daten.de/?q=designerscience.com#ct-logs - you see:

Issuer not before not after Domain names LE-Duplicate next LE
R3 2021-01-25 2021-04-25 designerscience.com, www.designerscience.com
2 entries
Let's Encrypt Authority X3 2020-11-30 2021-02-28 designerscience.com, www.designerscience.com
2 entries
Let's Encrypt Authority X3 2020-10-06 2021-01-04 designerscience.com, www.designerscience.com
2 entries
Let's Encrypt Authority X3 2020-08-12 2020-11-10 designerscience.com, www.designerscience.com
2 entries
Let's Encrypt Authority X3 2020-06-16 2020-09-14 designerscience.com, www.designerscience.com
2 entries
Let's Encrypt Authority X3 2020-04-21 2020-07-20 designerscience.com, www.designerscience.com
2 entries

These are your Letsencrypt certificates created via Dreamhost (R3 is the new Letsencrypt intermediate).

There is a rate limit (max. 5 identical certificates per week). But you see: Creating one own certificate isn't a problem.

That is a confusing set of questions.
Without the private key, a public certificate is basically one-sided [it can only be used to encrypt].
It you intend on using a certificate to also decrypt, then you will need the private key.
The private key can't be provided to you by anyone on the Internet [LetsEncrypt included].
The function of a CA includes maintaining trust by validating and sign a certificate request [CSR] that will permit the holder of the private key to use that cert without ever having to reveal the private key.
[this is not something LE invented - it's the way all CAs work]

Sooooo, the only place you can get the private key is from within the server that was issued the cert.
[the public side can be found in many places - it is public information]

The key point here (no pun intended) is that if you choose one of these applications and run it on your own computer, it can output the PEM files that you're looking for.

The preferred/recommended way to use Let's Encrypt is to run software like this on the web server, which would involve more coordination with or support from Dreamhost in your case (since you said you only have access to do this through a control panel). The advantage of running the Let's Encrypt client application directly on the web server is that it's much easier to automate and save you, the human administrator, a lot of work.