New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Official client supports CSRs and manual mode! #5

Closed
kuba opened this Issue Jun 26, 2015 · 15 comments

Comments

Projects
None yet
6 participants
@kuba

kuba commented Jun 26, 2015

Now, that certbot/certbot#504 (CSRs) and certbot/certbot#502 (manual authenticator) are merged in, official Let's Encrypt client provides the same features as letsencrypt-nosudo! You can try it out by running letsencrypt --authenticator manual auth --csr csr.der. To use simpleHttp challenge without TLS use --no-simple-http-tls.

Please consider adding appropriate notice to your project. You are all more than welcome to contribute "upstream"! :)

cc: @diafygi, @jdkasten

@diafygi

This comment has been minimized.

Show comment
Hide comment
@diafygi

diafygi Jun 30, 2015

Owner

It appears that the official client still requires root access to the local computer. Are there options that I'm missing?

$ ./venv/bin/letsencrypt --authenticator manual auth --csr ~/Desktop/domain.csr
Traceback (most recent call last):
  File "./venv/bin/letsencrypt", line 9, in <module>
    load_entry_point('letsencrypt==0.1', 'console_scripts', 'letsencrypt')()
  File "/tmp/letsencrypt/letsencrypt/cli.py", line 689, in main
    directory, constants.CONFIG_DIRS_MODE, os.geteuid())
  File "/tmp/letsencrypt/letsencrypt/le_util.py", line 31, in make_or_verify_dir
    os.makedirs(directory, mode)
  File "/tmp/letsencrypt/venv/lib/python2.7/os.py", line 157, in makedirs
    mkdir(name, mode)
OSError: [Errno 13] Permission denied: '/etc/letsencrypt'
Owner

diafygi commented Jun 30, 2015

It appears that the official client still requires root access to the local computer. Are there options that I'm missing?

$ ./venv/bin/letsencrypt --authenticator manual auth --csr ~/Desktop/domain.csr
Traceback (most recent call last):
  File "./venv/bin/letsencrypt", line 9, in <module>
    load_entry_point('letsencrypt==0.1', 'console_scripts', 'letsencrypt')()
  File "/tmp/letsencrypt/letsencrypt/cli.py", line 689, in main
    directory, constants.CONFIG_DIRS_MODE, os.geteuid())
  File "/tmp/letsencrypt/letsencrypt/le_util.py", line 31, in make_or_verify_dir
    os.makedirs(directory, mode)
  File "/tmp/letsencrypt/venv/lib/python2.7/os.py", line 157, in makedirs
    mkdir(name, mode)
OSError: [Errno 13] Permission denied: '/etc/letsencrypt'
@jdkasten

This comment has been minimized.

Show comment
Hide comment
@jdkasten

jdkasten Jun 30, 2015

Hi @diafygi, this problem is related to certbot/certbot#552. More work needs to be done here.

If you specify a user controlled config directory / working directory it will avoid the problems.

Hi @diafygi, this problem is related to certbot/certbot#552. More work needs to be done here.

If you specify a user controlled config directory / working directory it will avoid the problems.

@diafygi

This comment has been minimized.

Show comment
Hide comment
@diafygi

diafygi Jun 30, 2015

Owner

Ok, added them. Now hitting another error. File a bug report?

$ ./venv/bin/letsencrypt --debug --authenticator manual --work-dir /tmp/work/ --config-dir /tmp/config/ --logs-dir /tmp/logs/ auth --csr ~/Desktop/domain.csr

...<enter an email into the GUI and accept the terms>...

Traceback (most recent call last):
  File "./venv/bin/letsencrypt", line 9, in <module>
    load_entry_point('letsencrypt==0.1', 'console_scripts', 'letsencrypt')()
  File "/tmp/letsencrypt/letsencrypt/cli.py", line 707, in main
    handle_exception_common()
  File "/tmp/letsencrypt/letsencrypt/cli.py", line 702, in main
    return main2(cli_args, args, config, plugins)
  File "/tmp/letsencrypt/letsencrypt/cli.py", line 675, in main2
    return args.func(args, config, plugins)
  File "/tmp/letsencrypt/letsencrypt/cli.py", line 189, in auth
    file=args.csr[0], data=args.csr[1], form="der"))
  File "/tmp/letsencrypt/letsencrypt/client.py", line 179, in obtain_certificate_from_csr
    csr.data, OpenSSL.crypto.FILETYPE_ASN1), csr)
  File "/tmp/letsencrypt/letsencrypt/crypto_util.py", line 311, in get_sans_from_csr
    csr, OpenSSL.crypto.load_certificate_request, typ)
  File "/tmp/letsencrypt/letsencrypt/crypto_util.py", line 279, in _get_sans_from_cert_or_req
    cert_or_req = load_func(typ, cert_or_req_str)
  File "/tmp/letsencrypt/venv/local/lib/python2.7/site-packages/OpenSSL/crypto.py", line 2380, in load_certificate_request
    _raise_current_error()
  File "/tmp/letsencrypt/venv/local/lib/python2.7/site-packages/OpenSSL/_util.py", line 48, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.crypto.Error: [('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'wrong tag'), ('asn1 encoding routines', 'ASN1_ITEM_EX_D2I', 'nested asn1 error')]
Owner

diafygi commented Jun 30, 2015

Ok, added them. Now hitting another error. File a bug report?

$ ./venv/bin/letsencrypt --debug --authenticator manual --work-dir /tmp/work/ --config-dir /tmp/config/ --logs-dir /tmp/logs/ auth --csr ~/Desktop/domain.csr

...<enter an email into the GUI and accept the terms>...

Traceback (most recent call last):
  File "./venv/bin/letsencrypt", line 9, in <module>
    load_entry_point('letsencrypt==0.1', 'console_scripts', 'letsencrypt')()
  File "/tmp/letsencrypt/letsencrypt/cli.py", line 707, in main
    handle_exception_common()
  File "/tmp/letsencrypt/letsencrypt/cli.py", line 702, in main
    return main2(cli_args, args, config, plugins)
  File "/tmp/letsencrypt/letsencrypt/cli.py", line 675, in main2
    return args.func(args, config, plugins)
  File "/tmp/letsencrypt/letsencrypt/cli.py", line 189, in auth
    file=args.csr[0], data=args.csr[1], form="der"))
  File "/tmp/letsencrypt/letsencrypt/client.py", line 179, in obtain_certificate_from_csr
    csr.data, OpenSSL.crypto.FILETYPE_ASN1), csr)
  File "/tmp/letsencrypt/letsencrypt/crypto_util.py", line 311, in get_sans_from_csr
    csr, OpenSSL.crypto.load_certificate_request, typ)
  File "/tmp/letsencrypt/letsencrypt/crypto_util.py", line 279, in _get_sans_from_cert_or_req
    cert_or_req = load_func(typ, cert_or_req_str)
  File "/tmp/letsencrypt/venv/local/lib/python2.7/site-packages/OpenSSL/crypto.py", line 2380, in load_certificate_request
    _raise_current_error()
  File "/tmp/letsencrypt/venv/local/lib/python2.7/site-packages/OpenSSL/_util.py", line 48, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.crypto.Error: [('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'wrong tag'), ('asn1 encoding routines', 'ASN1_ITEM_EX_D2I', 'nested asn1 error')]
@kuba

This comment has been minimized.

Show comment
Hide comment
@kuba

kuba Jun 30, 2015

./venv/bin/letsencrypt --config-dir /tmp/le/conf --work-dir /tmp/le/work --logs-dir /tmp/le/logs --authenticator manual auth --csr csr.der should do the job

if you don't feel like typing this over again:

cat <<EOF >letsencrypt.conf
config-dir = /tmp/le/conf
work-dir = /tmp/le/work
logs-dir = /tmp/le/logs
authenticator = manual
EOF
letsencrypt -c letsencrypt.conf auth --csr csr.der

letsencrypt --help will reveal that --csr accepts DER, not PEM, hence your error

kuba commented Jun 30, 2015

./venv/bin/letsencrypt --config-dir /tmp/le/conf --work-dir /tmp/le/work --logs-dir /tmp/le/logs --authenticator manual auth --csr csr.der should do the job

if you don't feel like typing this over again:

cat <<EOF >letsencrypt.conf
config-dir = /tmp/le/conf
work-dir = /tmp/le/work
logs-dir = /tmp/le/logs
authenticator = manual
EOF
letsencrypt -c letsencrypt.conf auth --csr csr.der

letsencrypt --help will reveal that --csr accepts DER, not PEM, hence your error

@kuba

This comment has been minimized.

Show comment
Hide comment
@kuba

kuba Jun 30, 2015

Sorry, you actually won't see the help :( certbot/certbot#577

kuba commented Jun 30, 2015

Sorry, you actually won't see the help :( certbot/certbot#577

@diafygi

This comment has been minimized.

Show comment
Hide comment
@diafygi

diafygi Jun 30, 2015

Owner

Woo! Got it!

$ openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -outform DER -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:daylightpirates.org,DNS:www.daylightpirates.org")) > ~/Desktop/domain.csr

$ openssl req -text -noout -inform DER -in domain.csr 
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: 
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:a7:61:e4:22:06:ef:1f:c5:37:c7:92:b8:e5:a5:
                    cd:29:c4:f1:f1:ad:7f:43:e2:c2:dd:7f:b7:70:77:
                    e0:29:d4:fb:ec:79:b7:44:b2:96:b5:9e:f6:21:74:
                    35:52:15:98:35:e2:74:d9:85:bd:10:79:bc:9f:a6:
                    5b:44:f4:c8:18:02:24:3c:62:5e:19:85:7f:d5:a9:
                    38:c7:34:9f:7e:9a:2e:6f:af:50:6c:9a:69:c9:94:
                    ca:90:41:fd:1c:30:2c:61:14:5f:33:97:8c:18:52:
                    9a:5d:75:83:30:02:68:3c:1e:c8:69:f6:db:80:85:
                    f1:99:ed:33:92:9c:32:98:b7:79:61:1d:81:70:e0:
                    7d:46:dd:35:da:58:69:c0:62:a6:a3:6d:bf:32:15:
                    4b:8b:78:7a:91:7d:0e:e2:2c:d6:e2:17:4f:81:c4:
                    9a:89:b7:52:71:6d:28:11:28:6e:4e:f5:86:8d:aa:
                    08:45:a6:2b:21:51:92:99:f7:c1:d9:b2:d8:92:08:
                    32:f5:50:74:23:5a:5f:c9:e9:40:c8:c0:10:31:00:
                    16:0e:07:e6:0d:20:e1:e3:38:97:11:ee:b3:51:f0:
                    ce:8a:fe:68:7e:eb:ca:f3:ef:96:44:c7:43:7c:67:
                    89:88:77:3c:a6:77:c0:a0:a8:d7:26:17:bf:b0:d9:
                    97:e0:12:15:29:bc:9e:c0:21:df:92:b9:01:01:fd:
                    70:49:3a:cc:65:c6:44:77:0a:10:a2:06:7f:10:c9:
                    07:ee:9e:78:96:59:b7:29:13:c6:28:7f:e0:e0:e3:
                    34:7b:5a:0b:f0:64:bd:d5:cc:9a:9c:47:0b:67:0d:
                    e3:2c:24:14:71:9f:a3:fe:50:37:6c:11:d1:b5:c8:
                    ef:f0:73:68:41:ac:0d:67:a9:58:33:00:25:3c:dc:
                    5a:9d:72:b2:81:dc:7c:04:d4:41:49:9d:a4:96:3d:
                    13:38:32:f7:19:2b:3a:7e:4d:57:03:4c:23:d1:e2:
                    03:e8:c0:1e:02:32:e4:7f:b3:b2:96:13:dd:db:15:
                    f1:b7:ea:36:4a:cf:cd:0c:ba:38:ba:2c:0f:71:95:
                    7a:3d:b3:3f:4a:01:6c:58:b0:0d:c9:59:79:9b:1e:
                    a2:65:e7:22:ea:ed:ea:25:f5:c3:77:da:7c:ed:0f:
                    e0:34:a1:25:46:94:8a:31:4c:8c:18:f6:c1:ee:e4:
                    03:81:83:db:ad:a1:66:da:8b:5a:91:5a:02:63:a3:
                    c8:c2:ab:1a:b8:c5:5e:4b:7a:7f:dc:95:88:bd:97:
                    96:c8:4a:be:b6:24:f9:af:44:64:90:9f:79:82:68:
                    a2:0d:b5:f7:19:fa:60:1a:c9:22:dd:02:e0:b5:f6:
                    ee:da:63
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name: 
                DNS:daylightpirates.org, DNS:www.daylightpirates.org
    Signature Algorithm: sha256WithRSAEncryption
         56:28:8e:b0:01:f6:d6:04:9a:fc:be:1e:c0:5b:8f:5e:76:1e:
         4b:4e:f8:8f:fd:b7:ae:43:c0:5c:a8:c3:7a:06:cc:f8:33:24:
         fc:16:44:f5:67:c3:e5:7e:05:41:7d:c3:bc:31:9b:6b:cd:92:
         d4:45:86:98:cf:23:31:72:49:fb:85:4f:01:1d:be:d2:47:dd:
         8e:cb:a5:6d:11:55:a8:bc:45:09:9c:e3:c5:8e:75:49:05:96:
         50:9a:74:b6:59:ed:e6:ce:38:c1:d1:4d:34:00:f6:59:3a:28:
         47:39:40:fe:c9:22:6f:74:39:ac:f6:e4:a9:42:fd:12:b6:5d:
         f5:65:6e:02:28:9d:1c:f5:2a:ca:1f:5e:b3:99:6a:14:88:d2:
         d9:eb:71:d5:3d:68:76:fe:c9:04:e1:3f:c8:e9:a5:9d:5f:01:
         ff:e2:0c:90:e6:43:57:21:45:e2:1b:0a:5a:24:68:58:0f:04:
         a6:8e:bb:c5:2b:d2:4b:0c:8b:bb:be:8f:c9:bb:29:95:d8:38:
         ed:30:b4:e1:28:df:cb:12:ab:d4:0f:ae:8f:9e:6c:e0:4d:c1:
         a7:e4:a6:4f:e9:a7:da:3d:5a:56:94:a3:61:a6:26:04:52:d3:
         e5:6c:ca:ff:16:91:13:01:a3:99:e4:1c:99:7b:07:88:80:78:
         2e:3b:ca:13:e4:d3:50:ed:ac:15:db:0d:c2:ab:5c:8f:6f:63:
         c3:7d:b5:59:94:bd:b1:2f:ea:1b:de:32:07:60:ff:dc:68:13:
         4b:17:93:59:a1:9f:ac:99:e0:b7:6f:80:10:10:b0:02:c4:c5:
         43:e7:fd:14:49:81:5d:88:95:db:68:24:66:b6:9d:c3:86:53:
         57:dd:5e:9e:4e:84:fe:3d:95:84:58:10:4f:8b:3a:38:37:32:
         14:9e:41:fb:5b:4c:ec:46:c3:6a:11:d4:18:ba:5d:49:7b:74:
         c1:2e:42:d9:1c:fa:32:6a:85:7a:d7:16:00:db:47:b6:a3:ef:
         4e:cb:c2:2f:b1:c5:70:a0:ff:73:a3:fe:fc:4a:ad:68:35:2f:
         12:00:4c:8e:bb:46:1b:86:ba:27:e3:15:e0:e9:c1:b0:d3:79:
         c5:da:77:c6:5b:bb:87:da:17:08:83:49:ca:31:b3:0f:b6:02:
         4d:73:b5:5c:16:d1:ef:f2:bc:05:03:8a:f6:04:d3:82:10:bc:
         9f:77:1d:4e:55:e5:40:ee:34:10:de:f6:5b:f5:9f:ca:34:81:
         c9:79:74:6b:55:be:9f:66:8a:1b:40:84:63:69:75:cb:9e:91:
         e7:29:d2:fb:6b:94:7a:97:3c:b5:5c:93:52:42:d9:c4:c0:f5:
         fe:1b:a4:f4:fd:83:c4:dc


$ ./venv/bin/letsencrypt --debug --agree-eula --email diafygi@gmail.com --text --no-simple-http-tls --authenticator manual --work-dir /tmp/work/ --config-dir /tmp/config/ --logs-dir /tmp/logs/ auth --cert-path /tmp/certs/ --chain-path /tmp/chains/ --csr ~/Desktop/domain.csr

...<followed instructions>...

$ openssl x509 -text -in /tmp/certs/0000_ -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            02:00:00:00:00:00:01:20:37:30:9d:56:0a:ed:ea:92
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=happy hacker fake CA
        Validity
            Not Before: Jun 30 16:55:00 2015 GMT
            Not After : Sep 28 16:55:00 2015 GMT
        Subject: CN=daylightpirates.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:a7:61:e4:22:06:ef:1f:c5:37:c7:92:b8:e5:a5:
                    cd:29:c4:f1:f1:ad:7f:43:e2:c2:dd:7f:b7:70:77:
                    e0:29:d4:fb:ec:79:b7:44:b2:96:b5:9e:f6:21:74:
                    35:52:15:98:35:e2:74:d9:85:bd:10:79:bc:9f:a6:
                    5b:44:f4:c8:18:02:24:3c:62:5e:19:85:7f:d5:a9:
                    38:c7:34:9f:7e:9a:2e:6f:af:50:6c:9a:69:c9:94:
                    ca:90:41:fd:1c:30:2c:61:14:5f:33:97:8c:18:52:
                    9a:5d:75:83:30:02:68:3c:1e:c8:69:f6:db:80:85:
                    f1:99:ed:33:92:9c:32:98:b7:79:61:1d:81:70:e0:
                    7d:46:dd:35:da:58:69:c0:62:a6:a3:6d:bf:32:15:
                    4b:8b:78:7a:91:7d:0e:e2:2c:d6:e2:17:4f:81:c4:
                    9a:89:b7:52:71:6d:28:11:28:6e:4e:f5:86:8d:aa:
                    08:45:a6:2b:21:51:92:99:f7:c1:d9:b2:d8:92:08:
                    32:f5:50:74:23:5a:5f:c9:e9:40:c8:c0:10:31:00:
                    16:0e:07:e6:0d:20:e1:e3:38:97:11:ee:b3:51:f0:
                    ce:8a:fe:68:7e:eb:ca:f3:ef:96:44:c7:43:7c:67:
                    89:88:77:3c:a6:77:c0:a0:a8:d7:26:17:bf:b0:d9:
                    97:e0:12:15:29:bc:9e:c0:21:df:92:b9:01:01:fd:
                    70:49:3a:cc:65:c6:44:77:0a:10:a2:06:7f:10:c9:
                    07:ee:9e:78:96:59:b7:29:13:c6:28:7f:e0:e0:e3:
                    34:7b:5a:0b:f0:64:bd:d5:cc:9a:9c:47:0b:67:0d:
                    e3:2c:24:14:71:9f:a3:fe:50:37:6c:11:d1:b5:c8:
                    ef:f0:73:68:41:ac:0d:67:a9:58:33:00:25:3c:dc:
                    5a:9d:72:b2:81:dc:7c:04:d4:41:49:9d:a4:96:3d:
                    13:38:32:f7:19:2b:3a:7e:4d:57:03:4c:23:d1:e2:
                    03:e8:c0:1e:02:32:e4:7f:b3:b2:96:13:dd:db:15:
                    f1:b7:ea:36:4a:cf:cd:0c:ba:38:ba:2c:0f:71:95:
                    7a:3d:b3:3f:4a:01:6c:58:b0:0d:c9:59:79:9b:1e:
                    a2:65:e7:22:ea:ed:ea:25:f5:c3:77:da:7c:ed:0f:
                    e0:34:a1:25:46:94:8a:31:4c:8c:18:f6:c1:ee:e4:
                    03:81:83:db:ad:a1:66:da:8b:5a:91:5a:02:63:a3:
                    c8:c2:ab:1a:b8:c5:5e:4b:7a:7f:dc:95:88:bd:97:
                    96:c8:4a:be:b6:24:f9:af:44:64:90:9f:79:82:68:
                    a2:0d:b5:f7:19:fa:60:1a:c9:22:dd:02:e0:b5:f6:
                    ee:da:63
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                68:31:B1:F9:95:2D:C4:85:A4:EA:FA:B8:F1:B3:9B:97:ED:7A:A4:27
            X509v3 Authority Key Identifier: 
                keyid:FB:78:4F:12:F9:60:15:83:2C:9F:17:7F:34:19:B3:2E:36:EA:41:89

            Authority Information Access: 
                OCSP - URI:http://ocsp.int-x1.letsencrypt.org
                CA Issuers - URI:http://cert.int-x1.letsencrypt.org/

            X509v3 Subject Alternative Name: 
                DNS:daylightpirates.org, DNS:www.daylightpirates.org
            X509v3 Certificate Policies: 
                0...0...g.....07..+..........0(0&..+.........http://cps.letsencrypt.org0....+..........0..0....+..........This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/documents/
    Signature Algorithm: sha256WithRSAEncryption
         2a:0f:4d:83:38:e0:d7:6b:d9:74:ed:9b:ba:3e:aa:49:c1:05:
         9a:33:c3:24:e5:8f:7d:68:59:1a:13:48:dd:43:6f:4b:4c:b9:
         23:d1:e5:15:b1:ef:ec:be:b0:cf:f3:9f:72:73:cd:ff:8e:4c:
         fb:4c:cf:4d:ba:08:e4:7c:2a:83:65:22:7e:0d:03:cf:5c:a0:
         a3:2b:df:d0:fa:3b:7f:2b:78:bb:46:18:0e:b0:4f:a6:53:20:
         49:59:79:ec:8a:46:51:16:25:05:89:49:66:c5:13:e6:43:1d:
         5b:a7:8d:7f:c8:69:98:f2:0f:5c:e9:3a:71:0c:c6:21:c7:59:
         ec:4d:f7:7a:19:c4:74:4a:c9:b6:b5:59:ba:9a:75:1e:ba:f7:
         ec:f4:01:9b:6a:7a:b8:36:98:08:86:d0:8f:ab:f1:9f:5b:b3:
         99:a8:2c:1c:2d:03:47:b6:48:35:08:72:16:fb:6e:78:54:7a:
         3f:e7:d0:c8:b0:94:e0:1d:d2:cd:b6:9f:a2:27:d5:ef:67:58:
         4c:4a:51:0f:68:a6:74:a9:88:d9:e6:7d:0f:7c:a1:2a:e1:5a:
         76:8d:28:43:b1:13:8f:ab:45:ed:b6:6b:d5:2d:93:d8:83:46:
         e2:9d:36:12:f6:32:34:ec:47:e2:6e:ae:1e:b5:57:0d:07:37:
         46:14:ae:cb
Owner

diafygi commented Jun 30, 2015

Woo! Got it!

$ openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -outform DER -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:daylightpirates.org,DNS:www.daylightpirates.org")) > ~/Desktop/domain.csr

$ openssl req -text -noout -inform DER -in domain.csr 
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: 
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:a7:61:e4:22:06:ef:1f:c5:37:c7:92:b8:e5:a5:
                    cd:29:c4:f1:f1:ad:7f:43:e2:c2:dd:7f:b7:70:77:
                    e0:29:d4:fb:ec:79:b7:44:b2:96:b5:9e:f6:21:74:
                    35:52:15:98:35:e2:74:d9:85:bd:10:79:bc:9f:a6:
                    5b:44:f4:c8:18:02:24:3c:62:5e:19:85:7f:d5:a9:
                    38:c7:34:9f:7e:9a:2e:6f:af:50:6c:9a:69:c9:94:
                    ca:90:41:fd:1c:30:2c:61:14:5f:33:97:8c:18:52:
                    9a:5d:75:83:30:02:68:3c:1e:c8:69:f6:db:80:85:
                    f1:99:ed:33:92:9c:32:98:b7:79:61:1d:81:70:e0:
                    7d:46:dd:35:da:58:69:c0:62:a6:a3:6d:bf:32:15:
                    4b:8b:78:7a:91:7d:0e:e2:2c:d6:e2:17:4f:81:c4:
                    9a:89:b7:52:71:6d:28:11:28:6e:4e:f5:86:8d:aa:
                    08:45:a6:2b:21:51:92:99:f7:c1:d9:b2:d8:92:08:
                    32:f5:50:74:23:5a:5f:c9:e9:40:c8:c0:10:31:00:
                    16:0e:07:e6:0d:20:e1:e3:38:97:11:ee:b3:51:f0:
                    ce:8a:fe:68:7e:eb:ca:f3:ef:96:44:c7:43:7c:67:
                    89:88:77:3c:a6:77:c0:a0:a8:d7:26:17:bf:b0:d9:
                    97:e0:12:15:29:bc:9e:c0:21:df:92:b9:01:01:fd:
                    70:49:3a:cc:65:c6:44:77:0a:10:a2:06:7f:10:c9:
                    07:ee:9e:78:96:59:b7:29:13:c6:28:7f:e0:e0:e3:
                    34:7b:5a:0b:f0:64:bd:d5:cc:9a:9c:47:0b:67:0d:
                    e3:2c:24:14:71:9f:a3:fe:50:37:6c:11:d1:b5:c8:
                    ef:f0:73:68:41:ac:0d:67:a9:58:33:00:25:3c:dc:
                    5a:9d:72:b2:81:dc:7c:04:d4:41:49:9d:a4:96:3d:
                    13:38:32:f7:19:2b:3a:7e:4d:57:03:4c:23:d1:e2:
                    03:e8:c0:1e:02:32:e4:7f:b3:b2:96:13:dd:db:15:
                    f1:b7:ea:36:4a:cf:cd:0c:ba:38:ba:2c:0f:71:95:
                    7a:3d:b3:3f:4a:01:6c:58:b0:0d:c9:59:79:9b:1e:
                    a2:65:e7:22:ea:ed:ea:25:f5:c3:77:da:7c:ed:0f:
                    e0:34:a1:25:46:94:8a:31:4c:8c:18:f6:c1:ee:e4:
                    03:81:83:db:ad:a1:66:da:8b:5a:91:5a:02:63:a3:
                    c8:c2:ab:1a:b8:c5:5e:4b:7a:7f:dc:95:88:bd:97:
                    96:c8:4a:be:b6:24:f9:af:44:64:90:9f:79:82:68:
                    a2:0d:b5:f7:19:fa:60:1a:c9:22:dd:02:e0:b5:f6:
                    ee:da:63
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name: 
                DNS:daylightpirates.org, DNS:www.daylightpirates.org
    Signature Algorithm: sha256WithRSAEncryption
         56:28:8e:b0:01:f6:d6:04:9a:fc:be:1e:c0:5b:8f:5e:76:1e:
         4b:4e:f8:8f:fd:b7:ae:43:c0:5c:a8:c3:7a:06:cc:f8:33:24:
         fc:16:44:f5:67:c3:e5:7e:05:41:7d:c3:bc:31:9b:6b:cd:92:
         d4:45:86:98:cf:23:31:72:49:fb:85:4f:01:1d:be:d2:47:dd:
         8e:cb:a5:6d:11:55:a8:bc:45:09:9c:e3:c5:8e:75:49:05:96:
         50:9a:74:b6:59:ed:e6:ce:38:c1:d1:4d:34:00:f6:59:3a:28:
         47:39:40:fe:c9:22:6f:74:39:ac:f6:e4:a9:42:fd:12:b6:5d:
         f5:65:6e:02:28:9d:1c:f5:2a:ca:1f:5e:b3:99:6a:14:88:d2:
         d9:eb:71:d5:3d:68:76:fe:c9:04:e1:3f:c8:e9:a5:9d:5f:01:
         ff:e2:0c:90:e6:43:57:21:45:e2:1b:0a:5a:24:68:58:0f:04:
         a6:8e:bb:c5:2b:d2:4b:0c:8b:bb:be:8f:c9:bb:29:95:d8:38:
         ed:30:b4:e1:28:df:cb:12:ab:d4:0f:ae:8f:9e:6c:e0:4d:c1:
         a7:e4:a6:4f:e9:a7:da:3d:5a:56:94:a3:61:a6:26:04:52:d3:
         e5:6c:ca:ff:16:91:13:01:a3:99:e4:1c:99:7b:07:88:80:78:
         2e:3b:ca:13:e4:d3:50:ed:ac:15:db:0d:c2:ab:5c:8f:6f:63:
         c3:7d:b5:59:94:bd:b1:2f:ea:1b:de:32:07:60:ff:dc:68:13:
         4b:17:93:59:a1:9f:ac:99:e0:b7:6f:80:10:10:b0:02:c4:c5:
         43:e7:fd:14:49:81:5d:88:95:db:68:24:66:b6:9d:c3:86:53:
         57:dd:5e:9e:4e:84:fe:3d:95:84:58:10:4f:8b:3a:38:37:32:
         14:9e:41:fb:5b:4c:ec:46:c3:6a:11:d4:18:ba:5d:49:7b:74:
         c1:2e:42:d9:1c:fa:32:6a:85:7a:d7:16:00:db:47:b6:a3:ef:
         4e:cb:c2:2f:b1:c5:70:a0:ff:73:a3:fe:fc:4a:ad:68:35:2f:
         12:00:4c:8e:bb:46:1b:86:ba:27:e3:15:e0:e9:c1:b0:d3:79:
         c5:da:77:c6:5b:bb:87:da:17:08:83:49:ca:31:b3:0f:b6:02:
         4d:73:b5:5c:16:d1:ef:f2:bc:05:03:8a:f6:04:d3:82:10:bc:
         9f:77:1d:4e:55:e5:40:ee:34:10:de:f6:5b:f5:9f:ca:34:81:
         c9:79:74:6b:55:be:9f:66:8a:1b:40:84:63:69:75:cb:9e:91:
         e7:29:d2:fb:6b:94:7a:97:3c:b5:5c:93:52:42:d9:c4:c0:f5:
         fe:1b:a4:f4:fd:83:c4:dc


$ ./venv/bin/letsencrypt --debug --agree-eula --email diafygi@gmail.com --text --no-simple-http-tls --authenticator manual --work-dir /tmp/work/ --config-dir /tmp/config/ --logs-dir /tmp/logs/ auth --cert-path /tmp/certs/ --chain-path /tmp/chains/ --csr ~/Desktop/domain.csr

...<followed instructions>...

$ openssl x509 -text -in /tmp/certs/0000_ -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            02:00:00:00:00:00:01:20:37:30:9d:56:0a:ed:ea:92
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=happy hacker fake CA
        Validity
            Not Before: Jun 30 16:55:00 2015 GMT
            Not After : Sep 28 16:55:00 2015 GMT
        Subject: CN=daylightpirates.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:a7:61:e4:22:06:ef:1f:c5:37:c7:92:b8:e5:a5:
                    cd:29:c4:f1:f1:ad:7f:43:e2:c2:dd:7f:b7:70:77:
                    e0:29:d4:fb:ec:79:b7:44:b2:96:b5:9e:f6:21:74:
                    35:52:15:98:35:e2:74:d9:85:bd:10:79:bc:9f:a6:
                    5b:44:f4:c8:18:02:24:3c:62:5e:19:85:7f:d5:a9:
                    38:c7:34:9f:7e:9a:2e:6f:af:50:6c:9a:69:c9:94:
                    ca:90:41:fd:1c:30:2c:61:14:5f:33:97:8c:18:52:
                    9a:5d:75:83:30:02:68:3c:1e:c8:69:f6:db:80:85:
                    f1:99:ed:33:92:9c:32:98:b7:79:61:1d:81:70:e0:
                    7d:46:dd:35:da:58:69:c0:62:a6:a3:6d:bf:32:15:
                    4b:8b:78:7a:91:7d:0e:e2:2c:d6:e2:17:4f:81:c4:
                    9a:89:b7:52:71:6d:28:11:28:6e:4e:f5:86:8d:aa:
                    08:45:a6:2b:21:51:92:99:f7:c1:d9:b2:d8:92:08:
                    32:f5:50:74:23:5a:5f:c9:e9:40:c8:c0:10:31:00:
                    16:0e:07:e6:0d:20:e1:e3:38:97:11:ee:b3:51:f0:
                    ce:8a:fe:68:7e:eb:ca:f3:ef:96:44:c7:43:7c:67:
                    89:88:77:3c:a6:77:c0:a0:a8:d7:26:17:bf:b0:d9:
                    97:e0:12:15:29:bc:9e:c0:21:df:92:b9:01:01:fd:
                    70:49:3a:cc:65:c6:44:77:0a:10:a2:06:7f:10:c9:
                    07:ee:9e:78:96:59:b7:29:13:c6:28:7f:e0:e0:e3:
                    34:7b:5a:0b:f0:64:bd:d5:cc:9a:9c:47:0b:67:0d:
                    e3:2c:24:14:71:9f:a3:fe:50:37:6c:11:d1:b5:c8:
                    ef:f0:73:68:41:ac:0d:67:a9:58:33:00:25:3c:dc:
                    5a:9d:72:b2:81:dc:7c:04:d4:41:49:9d:a4:96:3d:
                    13:38:32:f7:19:2b:3a:7e:4d:57:03:4c:23:d1:e2:
                    03:e8:c0:1e:02:32:e4:7f:b3:b2:96:13:dd:db:15:
                    f1:b7:ea:36:4a:cf:cd:0c:ba:38:ba:2c:0f:71:95:
                    7a:3d:b3:3f:4a:01:6c:58:b0:0d:c9:59:79:9b:1e:
                    a2:65:e7:22:ea:ed:ea:25:f5:c3:77:da:7c:ed:0f:
                    e0:34:a1:25:46:94:8a:31:4c:8c:18:f6:c1:ee:e4:
                    03:81:83:db:ad:a1:66:da:8b:5a:91:5a:02:63:a3:
                    c8:c2:ab:1a:b8:c5:5e:4b:7a:7f:dc:95:88:bd:97:
                    96:c8:4a:be:b6:24:f9:af:44:64:90:9f:79:82:68:
                    a2:0d:b5:f7:19:fa:60:1a:c9:22:dd:02:e0:b5:f6:
                    ee:da:63
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                68:31:B1:F9:95:2D:C4:85:A4:EA:FA:B8:F1:B3:9B:97:ED:7A:A4:27
            X509v3 Authority Key Identifier: 
                keyid:FB:78:4F:12:F9:60:15:83:2C:9F:17:7F:34:19:B3:2E:36:EA:41:89

            Authority Information Access: 
                OCSP - URI:http://ocsp.int-x1.letsencrypt.org
                CA Issuers - URI:http://cert.int-x1.letsencrypt.org/

            X509v3 Subject Alternative Name: 
                DNS:daylightpirates.org, DNS:www.daylightpirates.org
            X509v3 Certificate Policies: 
                0...0...g.....07..+..........0(0&..+.........http://cps.letsencrypt.org0....+..........0..0....+..........This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/documents/
    Signature Algorithm: sha256WithRSAEncryption
         2a:0f:4d:83:38:e0:d7:6b:d9:74:ed:9b:ba:3e:aa:49:c1:05:
         9a:33:c3:24:e5:8f:7d:68:59:1a:13:48:dd:43:6f:4b:4c:b9:
         23:d1:e5:15:b1:ef:ec:be:b0:cf:f3:9f:72:73:cd:ff:8e:4c:
         fb:4c:cf:4d:ba:08:e4:7c:2a:83:65:22:7e:0d:03:cf:5c:a0:
         a3:2b:df:d0:fa:3b:7f:2b:78:bb:46:18:0e:b0:4f:a6:53:20:
         49:59:79:ec:8a:46:51:16:25:05:89:49:66:c5:13:e6:43:1d:
         5b:a7:8d:7f:c8:69:98:f2:0f:5c:e9:3a:71:0c:c6:21:c7:59:
         ec:4d:f7:7a:19:c4:74:4a:c9:b6:b5:59:ba:9a:75:1e:ba:f7:
         ec:f4:01:9b:6a:7a:b8:36:98:08:86:d0:8f:ab:f1:9f:5b:b3:
         99:a8:2c:1c:2d:03:47:b6:48:35:08:72:16:fb:6e:78:54:7a:
         3f:e7:d0:c8:b0:94:e0:1d:d2:cd:b6:9f:a2:27:d5:ef:67:58:
         4c:4a:51:0f:68:a6:74:a9:88:d9:e6:7d:0f:7c:a1:2a:e1:5a:
         76:8d:28:43:b1:13:8f:ab:45:ed:b6:6b:d5:2d:93:d8:83:46:
         e2:9d:36:12:f6:32:34:ec:47:e2:6e:ae:1e:b5:57:0d:07:37:
         46:14:ae:cb
@diafygi

This comment has been minimized.

Show comment
Hide comment
@diafygi

diafygi Jun 30, 2015

Owner

Will work on writing an update to give instructions on how to do this.

Owner

diafygi commented Jun 30, 2015

Will work on writing an update to give instructions on how to do this.

@kuba

This comment has been minimized.

Show comment
Hide comment
@kuba

kuba Jun 30, 2015

It would be great to have it in the official client docs (https://github.com/letsencrypt/letsencrypt/tree/master/docs) :). Also, you might find our generate-csr.sh script handy.

kuba commented Jun 30, 2015

It would be great to have it in the official client docs (https://github.com/letsencrypt/letsencrypt/tree/master/docs) :). Also, you might find our generate-csr.sh script handy.

@diafygi

This comment has been minimized.

Show comment
Hide comment
@diafygi

diafygi Nov 5, 2015

Owner

@kuba to clarify, does the manual authenticator still need to access your private keys?

Owner

diafygi commented Nov 5, 2015

@kuba to clarify, does the manual authenticator still need to access your private keys?

@kuba

This comment has been minimized.

Show comment
Hide comment
@kuba

kuba Nov 6, 2015

Since certbot/certbot#504 (June 25), client does not need access to certificate keys.

kuba commented Nov 6, 2015

Since certbot/certbot#504 (June 25), client does not need access to certificate keys.

@diafygi

This comment has been minimized.

Show comment
Hide comment
@diafygi

diafygi Nov 6, 2015

Owner

Gotcha, ok, so it still needs access to the account private keys?

Owner

diafygi commented Nov 6, 2015

Gotcha, ok, so it still needs access to the account private keys?

@pcoutin

This comment has been minimized.

Show comment
Hide comment
@pcoutin

pcoutin Nov 10, 2015

This still has less dependencies, no?
On Debian 7, with the "encryption" python package, and doing import OpenSSL breaks with ImportError: /home/../.local/share/letsencrypt/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/_openssl.so: undefined symbol: SSL_CTX_set_alpn_protos making letsencrypt unusable

pcoutin commented Nov 10, 2015

This still has less dependencies, no?
On Debian 7, with the "encryption" python package, and doing import OpenSSL breaks with ImportError: /home/../.local/share/letsencrypt/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/_openssl.so: undefined symbol: SSL_CTX_set_alpn_protos making letsencrypt unusable

@abl

This comment has been minimized.

Show comment
Hide comment
@abl

abl Nov 14, 2015

letsencrypt-nosudo is also really nice on FreeBSD shared hosting.

abl commented Nov 14, 2015

letsencrypt-nosudo is also really nice on FreeBSD shared hosting.

@101100

This comment has been minimized.

Show comment
Hide comment
@101100

101100 Nov 17, 2015

Contributor

The simplicity of this script makes it both a great tool to try out Let's Encrypt with less hassle (no wonky virtualenv that slows down executing the script every time) while also providing a very clear picture of how the process works for people who are more curious about the process.

Contributor

101100 commented Nov 17, 2015

The simplicity of this script makes it both a great tool to try out Let's Encrypt with less hassle (no wonky virtualenv that slows down executing the script every time) while also providing a very clear picture of how the process works for people who are more curious about the process.

@kuba

This comment has been minimized.

Show comment
Hide comment

kuba commented Nov 17, 2015

FTR, you might all like https://github.com/kuba/simp_le :)

@diafygi diafygi closed this in deab18a Nov 28, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment