Let’s Encrypt is a free certificate authority (link, link). It allows making your website available as https// at no cost. Unencrypted websites are being phased out or at least penalized by browsers making the need for a free alternative to paid authorities all the more urgent. Since August 2018 the Let’s Encrypt root is trusted by all other mayor roots.

The ACME protocol (Automated Certificate Management Environment) is responsible for setting up the communication between the certificate authority and the web server hosting the domain. Let’s Encrypt suggests the Certbot ACME client (Python based) (link, link) but installation on Centos failed:

Operating system
cat /etc/*elease
CentOS Linux release 7.4.1708 (Core)
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"

sudo yum install python2-certbot-apache
No package python2-certbot-apache available.
Error: Nothing to do

Difficulties have been noted before (link, link)

ACME PHP is an alternative (link, link). Installation is straightforward:

As local user

php -r "copy('https://github.com/acmephp/acmephp/releases/download/1.0.1/acmephp.phar', 'acmephp.phar');"
php -r "copy('https://github.com/acmephp/acmephp/releases/download/1.0.1/acmephp.phar.pubkey', 'acmephp.phar.pubkey');"

php acmephp.phar --version
Acme PHP - Let's Encrypt client 1.0.1

As per the documentation (link) the next step is generation of a configuration yml file:

cat config.yml
contact_email: yourname@example.com

defaults:
distinguished_name:
country: NL
locality: Eemnes
organization_name: companyname
solver: http

certificates:
- domain: example.com

Running this command in this procedure check

php acmephp.phar run config.yml

yielded

Solving challenge for domains...
In InstanceProfileProvider.php line 88:
Error retrieving credentials from the instance profile metadata server.

This must be a bug, the domain challenge started without setting it up in the first place.  But the authentication step can also be done separately.  If the domain challenge is to be solved via http the authority expects a specific file on the web server in order to prove you own the domain:

php acmephp.phar authorize example.com

Loading account key pair…
Requesting an authorization token for domains example.com …
The authorization tokens was successfully fetched!
Solving authorization challenge for domain {“domain”:”example.com”,”challenge”:{“domain”:”example.com”,”status”:”pending”,”type”:”http-01″,”url”:”https://acme-v02.api.letsencrypt.org/acme/challenge/9Ciz……..854″,”token”:”esM0……U”,”payload”:”esM……..Rc”}}
Create a text file accessible on URL http://example.com/.well-known/acme-challenge/esM0………U
containing the following content:

esM02…………DKqsEuvqRc

The use of the “.well-known” directory is explained here where it is also noted that some webserver configurations do not allow directories starting with a dot. As this was the case in this procedure check (link, link) DNS was used as a solver instead:

php acmephp.phar authorize --solver dns example.com
Loading account key pair...
Requesting an authorization token for domains example.com ...
The authorization tokens was successfully fetched!
Solving authorization challenge for domain {"domain":"example.com","challenge":{"domain":"example.com","status":"pending","type":"dns-01","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/OgQf......86","token":"u8HEZ.........LVE","payload":"u8H...........vqRc"}}
Add the following TXT record to your DNS zone
Domain: _acme-challenge.example.com.
TXT value: 2plz.............iwlI

Check DNS

host -t TXT _acme-challenge.example.com.
_acme-challenge.example.com descriptive text "2plzW..............yiwlI"

php acmephp.phar check -s dns example.com
Loading account key pair...
Loading the order related to the domains example.com ...
Loading the authorization token for domains example.com ...
Testing the challenge for domain example.com...
Requesting authorization check for domain example.com ...

The authorization check was successful!

You are now the proved owner of those domains example.com.

Now the certificate can be requested

php acmephp.phar request example.com

After filling out the usual certification questionnaire the required files are created. For a basic ssl installation (for example in a DirectAdmin control panel) required are the following files:

.acmephp/master/certs/example.com/private/key.private.pem
.acmephp/master/certs/example.com/public/cert.pem

The ssl encryption for https://example.com works instantaneously.

Advertisements