[HOWTO] Let's Encrypt

If you use the certificate reference of your current Let's Encrypt certificate the script will overwrite the contents of this certificate with the newly retrieved certificate.

For testing purposes I would recommend creating a new certificate. This way you will keep your current Let's Encrypt certificate separate and you can easily roll back.

Yeah, I started looking through your code and decided it would be easier to just replace it in a while.  Unfortunately, between playing with certbot and your tool, I have hit my limit for the week (doh - shot self in foot).  I am simply trying to move away from the free StartSSL certs and was able to manually generate the cert I needed, but then decided to try your process.  I am still hesitant to execute code on the firewall like this and wish there was an easier way to manage this cert off the box.  I might look into that process if you don't mind me hacking away at your code to see if I can pull it off.  I will likely disable the version checking code in your script because I do not like the script (no offense intended) communicating to anything except Lets Encrypt.

Hi René,

Thanks for such a great script. Just what I was looking for to use on my home project server.

I think I've got everything working this end and my browsers now all show a happy green padlock....with one exception!

It seems android does not recognise the CA properly? When reading around on this it mentions I might need to serve the intermediate cert using the fullchain.pem example here however i'm not sure how I would modify the script to do this, or even if it's possible with your method?

Any help with this would be great, 

Thanks again for the handy hack and enjoy a latte on me,

James

No worries, seems to be working now, must have been caching the old cert or something

Thx for this tool! nice work.

i was wondering however. You mention it is possible to save the ACME-challenge on another server through FTP, but sophos UTM doesn't include a FTP client. Is there a way tackle this?

i would like to create a lets encrypt cert for my exchange server, wich obviously only works with Windows/IIS wich doesn't support SSH.

Hi Hans,

I have not tested it using FTP, I only know the getssl script supports it.

For my exchange server I use a linux machine to host the acme challenge and use Site Path Routing for path /.well-known/acme-challenge/ to this linux machine

Hi klompie,

I mounted the smb share on a linux server and used ssh to upload it to the mount, it works.
i only wondered if i did something wrong. When i check the certificate with https://www.ssllabs.com/ssltest/analyze.html, it mentions that the cert chain is incomplete. "This server's certificate chain is incomplete. Grade capped to B."

i uploaded the Let’s Encrypt Authority X3 as CA cert.

any idea?

What is the fingerprint of the intermediate certificate according to ssllabs?

This is the same fingerprint as the cert i've uploaded to UTM.

Can you have a look at what the ca parameter of your certificate is:

#cc
127.0.0.1 MAIN > OBJS
Switched to OBJS mode.
127.0.0.1 OBJS > ca
127.0.0.1 OBJS ca > host_key_cert
127.0.0.1 OBJS ca host_key_cert > <cert_name>

One of the first lines should be something like: 'ca' => 'REF_CaVerXXXXXXX'

You can just enter the value of ca directly on the cli to show if this is indeed the correct ca certificate.

I have the idea that I should have the script update this parameter, because the UTM does not do it automatically.

Example:

127.0.0.1 OBJS ca host_key_cert > REF_CaHosLetsEncryp[Let's Encrypt,ca,host_key_cert] 
Logged into object 'REF_CaHosLetsEncryp'. Use 'w' to write eventual changes.
{
 'ca' => 'REF_CaVerLetsEncryp',
..
..
 }
127.0.0.1 OBJS ca host_key_cert [REF_CaHosLetsEncryp] > REF_CaVerLetsEncryp 
Logged into object 'REF_CaVerLetsEncryp'. Use 'w' to write eventual changes.
{
..
 Subject: C=US, O=Let\'s Encrypt, CN=Let\'s Encrypt Authority X3
..
}