diafygi / gethttpsforfree Goto Github PK

I see that: https://gethttpsforfree.com/ is a brand new thing and I want to outline, that I'm having a different environment, which is currently as the following:

At my ISPs admin-panel, I have the 3 following menu options:

Step 1: Generate CSR

entries below have been populated with information associated with your account.
Please check the entries for validity before submitting the form.

Input Values:

Certificate Details
Common Name: Text
Organization: Text
Department: Text
Email contact: E-Mail address
City: Text
State/Region: Text
Country: Text
Key Size: 1024/2048/4096

Step 2: Install Self Signed Certificate

Paste your certificate information below then

Step 3: Install SSL Certificate

Paste your certificate information below then
Certificate Credentials:
Certificate
Private key
CA Chain

Error message:

Errors occurred during the install

Result: Failure
Flag:    warning

Error:   Certificate/Key mismatch [ C:9cd05409c5884b8d01785b2e1a28fa46 | K:34a5accdf58620444416ab202dc50782 ]

I'm trying to get more details from my hoster. I've added in total 4 domains on the white-list and created support requests for them. Basically it should work soon. Thank you very much anyway!

the intermediate cert that is proposed to be installed should be contain the cross signed certs also as 99% of the browsers will not jet have the Let's Encrypt Authority X1 in the root store.

{"type":"urn:acme:error:malformed","de
at step 3

Hi. At the step 2 (Certificate signing request), you advise using the following for generating csr on Linux:

openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:foo.com,DNS:www.foo.com"))

This won't work on CentOS and RHEL because the path to the openssl.cnf isn't this but /etc/pki/tls/openssl.cnf.

Maybe rework the site so it shows the instruction for both Debian and RedHat Linux families?

In step 3 I get the error: You need to run the above commands and paste the output in the text boxes below each command.

I did execute all commands and pasted the output in the text boxes. Not sure why it is not recognized.

(needs the server to collaborate, since it's using HTTPS)

                    file_content.querySelector(".file_cmd").innerHTML = "" +
                        "echo \"" + DOMAINS[d]['server_data'] + "\" > " + DOMAINS[d]['server_uri'];

Would be great if you used textContent though.

On https://gethttpsforfree.com/, I get all the way through step 4. Once I click that I'm serving the file, it shows "Domain verified!" It then brings me to the step 5 error. Please let me know what you need to troubleshoot or what you need me to try.

Hello

I got this error when I run the step2-2 command in OSX
syntax error near unexpected token `('

Generate a CSR for your the domains you want certs for:
(replace "foo.com" with your domain)
Linux:
#change "/etc/ssl/openssl.cnf" as needed:
#  Debian: /etc/ssl/openssl.cnf
#  RHEL and CentOS: /etc/pki/tls/openssl.cnf
#  Mac OSX: /System/Library/OpenSSL/openssl.cnf

openssl req -new -sha256 -key domain.key -subj "/" \
  -reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
  <(printf "[SAN]\nsubjectAltName=DNS:foo.com,DNS:www.foo.com"))

How to make it working ?

It would be cool, if the site would only have ONE (large) HTML file. This would make it even easier to simply do a "Save As…" and have everything running right away.

At the moment, at least Chrome creates a subfolder with some .js Javascript files. Couldn't those files all be merged into the .html HTML file?

In Step 3 the last command was too long for my ssh client (putty on Windows). The terminal cropped the command, so it failed.

Need to create tests (Travis CI?) to test this so I'm not manually testing.

Expected diff:

Added /tests/test.js #mocha or casper script to run phantomjs or selenium tests against the staging CA
Added /.travis.yml #added for travis-ci integration
Modified /README.md #updated to include the travis-ci badge

I can create the certificate and install successfully in cpanel but when i test it i get a common name mismatch error. does letsencrypt not support shared hosting setups?

When an error occured in step 4, it says "Please go back to Step 1", but when starting from step 1, the domain(s) will be appended in step 4 again, so they appear multiple times.

Possibly previous domains could be detached before appended (or just replaced). Here is the code I'm talking about:

// append this domain to step 4
template.id = "challenge_" + d_;
template.style.display = null;
document.getElementById("challenge_domains").appendChild(template);

Step 1 to 3 are succesfull completed and then serving the content on the webserver with option 2.
After clicking the "I'm now serving this file on xxx" the following error is served:
Error: Domain challenge failed. Please start back at Step 1. {"type":"urn:acme:error:malformed","detail":"Error unmarshaling challenge response"}

Step 5: Install Certificate (Error: Certificate signature failed. Please start back at Step 1. {"type":"urn:acme:error:rateLimited","detail":"Error creating new cert :: Too many certificates already issued for: no-ip.org","status":429})

cool ....

why ?

This is for a local install (created by "git clone", not "Save As...") accessed via the file:// protocol in Mozilla Firefox 42.

I can go through the entire process, through Step 4 ("I'm now serving the files") but nothing ever happens for Step 5; wish I could give more info but there's no error or anything. I did pop open RequestPolicy's log window and I don't see any outgoing requests, so I'm assuming that's related (I have RP's filtering temporarily disabled, as well as NoScript's). When I click the "I'm now serving the files" button, I get the "Domain verified!" message, but that's the last thing that happens. It's a two-hostname SAN cert ("domain.com" and "www.domain.com") as per the example OpenSSL command.

When I execute Step 4, I get the following in Firefox' JavaScript console:

ReferenceError: reference to undefined property DOMAINS[domain].confirmed (index.js:802:1)

I had a look at the code there, but everything looks reasonable to me. I'll keep poking at it, but if you have any ideas on things I could try for troubleshooting, I'm all ears. :) Oh, also, I suppose it's worth noting for confirmation's sake that every time I try a new iteration of testing, I do a cache-bypassing Shift-Reload of the page.

According to the OpenSSL documentation the genrsa command is superseded by genpkey

E.g.:

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096

If there is a connection problem at the time of clicking the button, the whole process has to be restarted.

Is there a reason why this is the case?

Thanks for the app!

There is no domain.crt file or intermediate.pem, because we put the keys in the chained.pem file.

This works fine:

SSLCertificateFile /etc/ssl/certs/chained.pem
SSLCertificateChainFile /etc/ssl/certs/chained.pem

Thank you for the help, im getting stuck on step 3. I appreciate the help

Error: Account registration failed. Please start back at Step 1. {"type":"urn:acme:error:malformed","detail":"JWS verification error","status":400}

My Account Public Key:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtKSmVLxS8U8zo/bLLBbU
R222pDEKm8aR7pxi/eLzywyPNtA83mke9G+dNgr/3ipOhYoPkcXXEMBviNROJ3y4
kvUShzqIUfoONbTU9Hh3HxiW3GARnWluJDNHiTBVfvWU690f2ieptg4V401Xjudb
UZ4KH5z1AZxGB46O18X2H2PtmXFpt8C065CnScyMf0bnI1zwxg79D0SrF7Nt7Cfi
VJON4FfpqEGqYHen6mYRFKRtuJ2HrTWd/IPf/xR8xDRoCgA+tZHh+/MkEPij6++A
JZzSSQk8eKmJE3Jelct2hZS8VKuQrPYnhRymh1FuPBLnBnHmOYT9KgN//Oj5eG4O
YwIDAQAB
-----END PUBLIC KEY-----

CSR:
-----BEGIN CERTIFICATE REQUEST-----
MIICgTCCAWkCAQAwADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO0b
3G3Rc/EzxacMMq4XZ7ntFwf2DC+xVgtmeCQyHJMal/pcK4phfsUwMeJakEqu/Gji
QRqeiSrMZXVC1AaEsj3xt6QTZ/asbrZ3Nc2xOG5biXu5fVMFIyguPrZmWTkJ94kB
ABo+nQHa0pGlJynb0weirYaCidw5rTfAaTdx9s/7HMM5rEEF/gtA6sJ70WTHvESt
6ZC4K2ak3KecHx68PV6f1gioLWJ/Oot8AwxIWuSvBiNZ8mrb7loh/kxxqvC0U1hh
s/jXgMpbF6BwaeBW5KVhlFTnswak0L2m38hT+qtj6CE4PscTIGZHcT+ucoeWPpW8
XzGRxIhy4JZxUWm5HxcCAwEAAaA8MDoGCSqGSIb3DQEJDjEtMCswKQYDVR0RBCIw
IIIMY2FybGR1cnIuY29tghB3d3cuY2FybGR1cnIuY29tMA0GCSqGSIb3DQEBCwUA
A4IBAQB5w6lJ0DkkubdpjUMCk4FVwIvRjtQALQcXuk7Ha79hrVg93QgR3ZfUisJW
uFI0p5KNUUvQNBMIhGyZyIC/PF9fOr+DHg3NOj9mXzzZyX3Xc1IpQF07B8eyFh1V
kkLx2sR40Ut6uwwKpTRaI3ExltI9yVzW6G/7fuTXtQtCk1i5CFPh8rSv2gPtFfde
lUNNz7KX+BNXB0yURr2FMMOoBbzw/g3lmZ+MYClbb1zXZ7ikd2Kxz51s/BlLZojT
Mt2VaMyvs2kMOZV0Sx++8/2kr+25DruCDnL6ObpG4q0JBEUjL6fyW4TZ3hUHPHv5
ZDvfG8UDgeHYlpga0YjRG4eboNau
-----END CERTIFICATE REQUEST-----

API:

PRIV_KEY=./account.key; echo -n "eyJub25jZSI6Im5LQ2czdFNic05DNWU0R3ZZb1BPZG96OGtHb3dqVkRyZndJMUI3Yl9tVmMifQ.eyJyZXNvdXJjZSI6Im5ldy1yZWciLCJjb250YWN0IjpbIm1haWx0bzpjYXJsZHVyckBjYXJsZHVyci5jb20iXSwiYWdyZWVtZW50IjoiaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvZG9jdW1lbnRzL0xFLVNBLXYxLjAuMS1KdWx5LTI3LTIwMTUucGRmIn0" | openssl dgst -sha256 -hex -sign $PRIV_KEY

PRIV_KEY=./account.key; echo -n "eyJub25jZSI6IkpwVWFOZ2t5ZXY0VHhPYTdjd2FkS1ZISnBaLXZQWmxHMUI2VXAzMEs5WjQifQ.eyJyZXNvdXJjZSI6Im5ldy1hdXRoeiIsImlkZW50aWZpZXIiOnsidHlwZSI6ImRucyIsInZhbHVlIjoiY2FybGR1cnIuY29tIn19" | openssl dgst -sha256 -hex -sign $PRIV_KEY

PRIV_KEY=./account.key; echo -n "eyJub25jZSI6ImV5MmNRMWEwMk12S3FHQjlEN3VGaXdkM2RkMlZPRjZac2RheV9LSWtKWDQifQ.eyJyZXNvdXJjZSI6Im5ldy1hdXRoeiIsImlkZW50aWZpZXIiOnsidHlwZSI6ImRucyIsInZhbHVlIjoid3d3LmNhcmxkdXJyLmNvbSJ9fQ" | openssl dgst -sha256 -hex -sign $PRIV_KEY

PRIV_KEY=./account.key; echo -n "eyJub25jZSI6InBDTGlGbHVIWUJ6N0VvVVotcXlqZnRBVjJfQ0dGVXFGOGpXT2FYYnhOTE0ifQ.eyJyZXNvdXJjZSI6Im5ldy1jZXJ0IiwiY3NyIjoiTUlJQ2dUQ0NBV2tDQVFBd0FEQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU8wYjNHM1JjX0V6eGFjTU1xNFhaN250RndmMkRDLXhWZ3RtZUNReUhKTWFsX3BjSzRwaGZzVXdNZUpha0VxdV9HamlRUnFlaVNyTVpYVkMxQWFFc2ozeHQ2UVRaX2FzYnJaM05jMnhPRzViaVh1NWZWTUZJeWd1UHJabVdUa0o5NGtCQUJvLW5RSGEwcEdsSnluYjB3ZWlyWWFDaWR3NXJUZkFhVGR4OXNfN0hNTTVyRUVGX2d0QTZzSjcwV1RIdkVTdDZaQzRLMmFrM0tlY0h4NjhQVjZmMWdpb0xXSl9Pb3Q4QXd4SVd1U3ZCaU5aOG1yYjdsb2hfa3h4cXZDMFUxaGhzX2pYZ01wYkY2QndhZUJXNUtWaGxGVG5zd2FrMEwybTM4aFQtcXRqNkNFNFBzY1RJR1pIY1QtdWNvZVdQcFc4WHpHUnhJaHk0Slp4VVdtNUh4Y0NBd0VBQWFBOE1Eb0dDU3FHU0liM0RRRUpEakV0TUNzd0tRWURWUjBSQkNJd0lJSU1ZMkZ5YkdSMWNuSXVZMjl0Z2hCM2QzY3VZMkZ5YkdSMWNuSXVZMjl0TUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCNXc2bEowRGtrdWJkcGpVTUNrNEZWd0l2Ump0UUFMUWNYdWs3SGE3OWhyVmc5M1FnUjNaZlVpc0pXdUZJMHA1S05VVXZRTkJNSWhHeVp5SUNfUEY5Zk9yLURIZzNOT2o5bVh6elp5WDNYYzFJcFFGMDdCOGV5RmgxVmtrTHgyc1I0MFV0NnV3d0twVFJhSTNFeGx0STl5VnpXNkdfN2Z1VFh0UXRDazFpNUNGUGg4clN2MmdQdEZmZGVsVU5OejdLWC1CTlhCMHlVUnIyRk1NT29CYnp3X2czbG1aLU1ZQ2xiYjF6WFo3aWtkMkt4ejUxc19CbExab2pUTXQyVmFNeXZzMmtNT1pWMFN4LS04XzJrci0yNURydUNEbkw2T2JwRzRxMEpCRVVqTDZmeVc0VFozaFVIUEh2NVpEdmZHOFVEZ2VIWWxwZ2EwWWpSRzRlYm9OYXUifQ" | openssl dgst -sha256 -hex -sign $PRIV_KEY

Hello,
I have a small problem. Let's Encrypt whitelisted me domain and subdomains. But in final, I have like 20 subdomains that I must verify ownership... Is there way to (for example) check only the main domain? (something.com)
Thanks!

Let's Encrypt support the DNS challenge in production now. It would be awesome if gethttpsforfree did too.

SSLOpenSSLConfCmd DHParameters calls an error on my Apache/2.4.7 .
It could be this:

The set of available SSLOpenSSLConfCmd commands depends on the OpenSSL version being used for mod_ssl (at least version 1.0.2 is required). For a list of supported command names, see the section Supported configuration file commands in the SSL_CONF_cmd(3) manual page for OpenSSL.

https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#page-header

I used gethttpsforfree.com to generate multiple certs (u32.net, www.u32.net, etc)...

First I went through the whole process for u32.net. Couldn't have gone better.

Then, I started over at step 2 to create a cert for www.u32.net (server sw won't let me combine them). When I reached step 4, gethttpsforfree still thought we were working with u32.net. Clicking Submit ("I'm now serving this file on u32.net") failed after a while, then everything reset and I was able to generate the file for www.u32.net.

So, everything works, it's just unfortunate that it needs to timeout once first.

Since this is the biggest problem I ran into, gethttpsforfree is working extraordinarily well. Great job.

you should not name this "get https for free", cause with tls certificates not only http connections can be encrypted "get tls cert for free" would be in my opinion a better name. Also consider switching from .com to .org for a non commercial project website

Not sure if this an api issue or an issue of this tool but it seems that you can't use wildcards when you try to sign your requests.
Tried to sign *.mydomain.com <--Obiously thats not my domain
but instead had to sign www.mydomain.com, mydomain.com and all my subdomains

Process substitution is not generally supported by all shells. Running Step 2 in busybox on a Synology NAS, I had to use a work around using temporary files.
Maybe it makes sense to change this in order to make the shell code more general?

in your readme.md you state that it is possible to verify your domain without a python server and just any web server now. so you might replace the

• python

by

• python or any https server where you can put a new file on any location

(maybe you want to think of a better way to say this).

I tried the file based authorization but my services provider seems to have restricted paths starting with a dot to just the first level. No files within acme-challenge are found...

Either drop the dot or make the path configurable...

Thank you kindly for your alternate interface to Let's Encrypt. I ran into a snag - I'm running a home server on a different port than 80 since my ISP blocks 80. It would be nice to be able to do step for on a port other than 80.

After successfully completing step1-4 the final step 5 throws
immediately an error:

Step 5: Install Certificate (Error: Certificate signature failed.
Please start back at Step 1.
{"type":"urn:acme:error:malformed","detail":"Unable to read/verify
body :: JWS verification error","status":400})

When I am on step 4, when I click "I'm now serving this file on domain.com", it always returns: "Error: You need to run the above signature command and paste the output in the text box." even though the file is correctly hosted.

I have traced the issue to line 714 of index.js, where this is run:

var challenge_sig = hex2b64(document.getElementById("challenge_sig_" + d_).value);

The issue is that document.getElementById("challenge_sig_" + d_).value is always empty so of course the check fails.

Stuck at step 3. Not working. Execute and pasted correct output

Just a quick heads up regarding the configuration instructions for Apache:

The suggestion to concatenate the domain and the intermediate certificate doesn't work for Apache 2.2. The docs suggest this feature was added in version 2.4.8.

The correct configuration for Apache 2.2 seems to be

SSLCertificateFile          /etc/ssl/certs/domain.pem
SSLCertificateChainFile     /etc/ssl/certs/intermediate.pem

There's no warning when configuring Apache 2.2 as suggested, it just doesn't work as intended.

When something goes wrong you have to start at the beginning. That's not very helpful. It would be great to get some idea what exactly went wrong and restore as much as possible of the previous progress.

After completing the first three steps it says 'account registered...' after verifying the signatures. I'm stuck at this point. 'Step 4: Verify Ownership (waiting...)' hasn't changed since...

Instead of having to keep identical master and gh-pages branches up to date, some projects (like gray) choose to set the default branch to gh-pages. You can change this under Settings > Branches. You can then delete the master branch.

Ref: GitHub Docs

The response from POST request to "https://acme-v01.api.letsencrypt.org/acme/new-reg" is:
{"type":"urn:acme:error:malformed","detail":"Unable to read/verify body :: JWS verification error","status":400}

Hi there,

I have a Feature Request and as I'm not really capable to do it myself so I'm hoping someone else can realize it:

Problem:

In Step 4: ACME Challenge / Authorization the LE API always checks the Webserver (for which you request the Certificate) on Port 80 (http) for the /.well-known/acme-challenge

New Feature Request

It would be fantastic if there would be some kind of Option (Dropdown Box or a Empty Input Field) to tell the LE API to verify against https or even against a custom Port for the ACME Challenge.

additional Information

In the official LetsEncrypt Python Client there is a --dvsni-port (now called TLS-SNI-01) which does the trick.

If I can assist with something other than the Coding let me know and I'll try to help. Thanks!

Greetings,
Claus

This will auto-select the contents of fields the user is supposed to copy from (if the browser is in-compatible then this should still gracefully pass.) Is this PR worthy or will everything be left as-is and nothing more?

function focusOnReadonlyFields(e){
    // IF it's readonly AND a selectable.
    if(e.target.hasAttribute("readonly") && typeof e.target.select === "function"){

        // IF it's what we intend.
        if(e.target.tagName === "TEXTAREA" || (
            e.target.tagName === "INPUT" &&
            e.target.getAttribute("type") === "text"
        )){
            e.target.select();
        }
    }
}
document.getElementById("body").addEventListener("click", focusOnReadonlyFields);

(Just certified my first Let's Encrypt site with the help of gethttpsforfree, awesome work!)

"The certificate was issued by Let's Encrypt Authority X1, which is not a trusted authority.

This is most likely because the servers' certificate chain is not installed correctly."
-https://www.wormly.com/test_ssl/h/hoell.syno-ds.de/i/5.158.136.15/p/55443

what did i wrong

Error: Account registration failed. Please start back at Step 1. {"type":"urn:acme:error:malformed","detail":"Unable to read/verify body :: JWS verification error","status":400}

Tried with Chrome 47/MS Edge on Windows 10 x64. Account key was generated with openssl-1.0.2d-fips-2.0.10 for Windows, CSR is from Cisco IOS.

CSR:
-----BEGIN CERTIFICATE REQUEST-----
MIIDEDCCAfgCAQAwgakxETAPBgNVBAgTCE5lYnJhc2thMQswCQYDVQQGEwJVUzEY
MBYGA1UEChMPQWxleCBIYXV0ZXF1ZXN0MQ8wDQYDVQQLEwZyb3V0ZXIxHTAbBgNV
BAMTFHJvdXRlci5ocXVlc3QucHJvLmJyMT0wGAYJKoZIhvcNAQkIEwsxOTIuMTY4
LjAuMTAhBgkqhkiG9w0BCQIWFHJvdXRlci5ocXVlc3QucHJvLmJyMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxVDvMml9YOTYGRb8emjyD1QC/0iK5MAU
o7NPEpF2219ZmxcPN/ahVW/o4fFj1x1YtMhQlX15QeR3Os3z+qbz16vWV4dPRKT7
JDdWtpTlRc3uFXJRJktCC1J6KGh0GuGEWnjEAfMVu2baDU5wqtqBity83CAEVoU9
+7couSHS94PskafPgo6wuiNbgP+FpL4iaX3YlVVL2bjPZ8DkehrvUFv37LMmkWtV
vFnKK4IhKfmPiZQ5VQnD7r9rLhoxhPWQI3q1eYuLRvSSqdnKvu33vlCOmS7oTTLX
j2McGg7AN/up/0k0x5ClFBWXg39YZ0DfQBtycbuzwz7U14eD4/LEuQIDAQABoCEw
HwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQELBQAD
ggEBAIePDP+985TxMDkEfvi+QIacnF5rUAtsm7jLgAghEQL2InnTOydjIeWk0tNE
FTeFEEwgjOStkeS1aUS3E0Nhd3N99isaUXEurqsb3vYfBR5ipmYFNvKi9OgUuztG
IOgTWFvApwCWXk2mWYlizOrGi+I06E/rNrChqcQ1kCg+2grrpsfGv4bqYi66Blpt
R4rLD2J+Do13Oxqzq2tevzj4XL/iaOaPFm+aEtH5NgIog6U7JCAUQDKwh+z1QqQ5
lZhYryQRDu4fPxKHL9nBaluIXq2kmiZfC++WykHdj3xeBfLB9qO9g55CTeoYZT0I
hs6WYY9CcExAV9xauBpZlDwLOWc=
-----END CERTIFICATE REQUEST-----

C:\openssl-1.0.2d-fips-2.0.10\bin>echo "eyJub25jZSI6InU1QnlNekg0TDRaNjNadFdvOFhTNHBKV0NhR29BZE5odWJ0djZfb0pHTEEifQ.eyJyZXNvdXJjZSI6Im5ldy1yZWciLCJjb250YWN0IjpbIm1haWx0bzpocXVlc3RAZ21haWwuY29tIl0sImFncmVlbWVudCI6Imh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL2RvY3VtZW50cy9MRS1TQS12MS4wLjEtSnVseS0yNy0yMDE1LnBkZiJ9" | openssl dgst -sha256 -hex -sign privkey.pem
(stdin)= 5a4ee6cde0529ae572b0bbebb907d0b8126ca334ecad2d0c51df088cffaade89eaccc629081b8ca2d94682d60a26c5cabc5b0340fd8c336ae3084414162db19c765f98254a3465542b11952dddb1ccd16ede4121c1b5c47ebaf7acfa89de9a29f4e5734375af6bed1bf36dfe99cee6491edc84c80d319c8b0f2d846dae60fdd243a42aef07193f0f42404a07924c5f4d660aac83537bca7145f7440ca1fb622116a61e5c08bc47ea3f51effa1619ff3e9ab5f9f16db7285ee254bce69b2c00e97bb0eb08f0c959e2983fa62b650f460f9c16ba96a9104de47826f80c4b9057cdf163d8510750e78b811a5878a5a87b6d6ad0746552e4b6ed2a1ed479605404deb2fccb02dfd450b4066f06df45823a4fe8643ca05fb6c9d93ec90b440b3b980400e16cc2cb9e84133f4fd644424209fb9ea51abea04f0d62b656ed90b6bcf11568b543e9dbc9665d49403ef9f158e59c8870be6200c6378f46e2046283deb5fc2fbd701a8a6584b7035a1b30a95d0c65bed95952cda88a8504fc74dece97e9a4785c25e15bf8edff537fd0214a5d4e70f711a007670b3ac21f5c44fe59a737b2a2d156a3402b5d8e404207e5da026766de80c93fe3a3ae33208bc4eb663767428b195c4d7539f7b71a48cd6738861068beedabc598ceebf10580318793c6bed5e782b321563f182680ec445c6b9b0905ae42229d114d32ba0fa9c12c46b78db9

C:\openssl-1.0.2d-fips-2.0.10\bin>echo "eyJub25jZSI6IndxTU41WXIwazdoLWxUemJreUZuVWlfaVJEUkJRT0hOZTB3V29VUVVNdm8ifQ.eyJyZXNvdXJjZSI6Im5ldy1hdXRoeiIsImlkZW50aWZpZXIiOnsidHlwZSI6ImRucyIsInZhbHVlIjoicm91dGVyLmhxdWVzdC5wcm8uYnIifX0" | openssl dgst -sha256 -hex -sign privkey.pem
(stdin)= 0c240bf60f2054079f51b17cfccc5e0276dfd8513f6446a5ea819ba8fbf7678fec48905cab3c86343f9e0f235a588d6a3faa4b3ccb4c0252639eb38c43bca524b87cf963e2e45e71df3a8494e2089be4a73292d6faa2b9b96819c284375c69bef6a6dc88edbacaf720e146b7f0c7a53080acb1f21456fa5d72e73271ad0995af2b4087621ba6bf39e27de7e43a891bd3b8e515ab41de2d9f44a92ff86b64922fbf2ee02304835956fd63789ef9d669b410a46de4fc86b80b69c582e02853f7411e31259ebfb4c0ceafd734a5b5c0ce3bd02b13c780694086760d1280595f11e69b16bba5bff87bf2d964d3610fc86fcf9acf3435ef971275245ecdf9c8ef8c8378b8d6496580542c219d19235044786df9eb608605cc2b1b670d8a5bfdf6222483344ee7a4753c3debb8e1edc751834d52d59f40d221f5219ae38f9962b4c12144288717d671694d575c1c3e56b83ff9742579ccd09e7eb1115c43c8b17cd956dd324758d785ac0e1fe3e1b463a2e80e6e66ccd12e25dcc6f359f3c020debe5c4a691838de8fb177c627e4a233318f6c67c29358a72d2f359986d29e6905fb4e898c3dfdb583c8d5fc7c59e7b777c1e91c82c3a52bf0e18d07aeef6e60c1426c29034a27a27fed6307ea29b0eb8df6cdf2d49a12e521a1fbda0bdfeb91a9f49c0500dadd7af89f77644a4de5f505ee0a749bbb310f90a01052e5c753604bb456

C:\openssl-1.0.2d-fips-2.0.10\bin>echo "eyJub25jZSI6IjFMTXVLcFY5ejBJbEJIb3VGZmZPN2xIcEFGbTJBeHNuN0ZucDBJZW9aaFEifQ.eyJyZXNvdXJjZSI6Im5ldy1jZXJ0IiwiY3NyIjoiTUlJREVEQ0NBZmdDQVFBd2dha3hFVEFQQmdOVkJBZ1RDRTVsWW5KaGMydGhNUXN3Q1FZRFZRUUdFd0pWVXpFWU1CWUdBMVVFQ2hNUFFXeGxlQ0JJWVhWMFpYRjFaWE4wTVE4d0RRWURWUVFMRXdaeWIzVjBaWEl4SFRBYkJnTlZCQU1URkhKdmRYUmxjaTVvY1hWbGMzUXVjSEp2TG1KeU1UMHdHQVlKS29aSWh2Y05BUWtJRXdzeE9USXVNVFk0TGpBdU1UQWhCZ2txaGtpRzl3MEJDUUlXRkhKdmRYUmxjaTVvY1hWbGMzUXVjSEp2TG1KeU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBeFZEdk1tbDlZT1RZR1JiOGVtanlEMVFDXzBpSzVNQVVvN05QRXBGMjIxOVpteGNQTl9haFZXX280ZkZqMXgxWXRNaFFsWDE1UWVSM09zM3otcWJ6MTZ2V1Y0ZFBSS1Q3SkRkV3RwVGxSYzN1RlhKUkprdENDMUo2S0doMEd1R0VXbmpFQWZNVnUyYmFEVTV3cXRxQml0eTgzQ0FFVm9VOS03Y291U0hTOTRQc2thZlBnbzZ3dWlOYmdQLUZwTDRpYVgzWWxWVkwyYmpQWjhEa2VocnZVRnYzN0xNbWtXdFZ2Rm5LSzRJaEtmbVBpWlE1VlFuRDdyOXJMaG94aFBXUUkzcTFlWXVMUnZTU3Fkbkt2dTMzdmxDT21TN29UVExYajJNY0dnN0FOX3VwXzBrMHg1Q2xGQldYZzM5WVowRGZRQnR5Y2J1end6N1UxNGVENF9MRXVRSURBUUFCb0NFd0h3WUpLb1pJaHZjTkFRa09NUkl3RURBT0JnTlZIUThCQWY4RUJBTUNCYUF3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUllUERQLTk4NVR4TURrRWZ2aS1RSWFjbkY1clVBdHNtN2pMZ0FnaEVRTDJJbm5UT3lkakllV2swdE5FRlRlRkVFd2dqT1N0a2VTMWFVUzNFME5oZDNOOTlpc2FVWEV1cnFzYjN2WWZCUjVpcG1ZRk52S2k5T2dVdXp0R0lPZ1RXRnZBcHdDV1hrMm1XWWxpek9yR2ktSTA2RV9yTnJDaHFjUTFrQ2ctMmdycnBzZkd2NGJxWWk2NkJscHRSNHJMRDJKLURvMTNPeHF6cTJ0ZXZ6ajRYTF9pYU9hUEZtLWFFdEg1TmdJb2c2VTdKQ0FVUURLd2gtejFRcVE1bFpoWXJ5UVJEdTRmUHhLSEw5bkJhbHVJWHEya21pWmZDLS1XeWtIZGozeGVCZkxCOXFPOWc1NUNUZW9ZWlQwSWhzNldZWTlDY0V4QVY5eGF1QnBabER3TE9XYyJ9" | openssl dgst -sha256 -hex -sign privkey.pem
(stdin)= 29a6b49a68ea4022b9ae6c5a01f20562091dbdbceca1bbb021c66bcf6289db2492656096c7c68c7cd195061631a375823a8eddf085ded96549b638aaa9c398101dafe8d52b142480f34d5103269af14b1438186de2b770dd029326b17cafd273ed497f00e06607fa1dac4b6de76efc17b325bda7252e00937d2aa243fc737d720444b107d815c8c4d8cb627d99724057cfc8a19540b290d6e82bc58f2d6f3da758f5e1ab7644666daae149adbde2242c1f4e89f9bdcac159bc82eebf001084bfb7e337689491933ef819430ade5cbab05c4def28b7819c3198d2349e5d6f2221ad81683c7914a76bee6c1227d8accf21d1e1223d89f5163c67b73f7e6a2acbb2b4bddb9b3cb4280357c8c19107b2ae10c8058871cd7ba3e3fb6cb05f3531fe03620da2f9bc4403f460ed1591d670d73cf1c16c1f5da2e508206f38ab20c431aed209693f2d082c82f567174645485d824727ba2054ac0d1f8bc9cafde6963e4ae73a9cc92ed7121eccd61c43977e488a4972846172f6cbe3a90310277a12f0767da3f41b726fe4a5c95a7d87636c94a0bbdcff6767ffd9ac8ffb93618596295d5eb9e0968ab4775e340a3cba86758e3ccf90ccea6a5f5bfec2a3b19f2d528f36fd679045ea554cd69ab36b42c75edc021f58e74d037a442ead5f0fa01803ee4eeee171bff05dd1d95d058c551fe01db6e4e60e2a863d0c652dbaf1cebf8a4439

Thanks for the great guide!

using the suggested Apache config to install the certificate resulted in a "Incorrect SNI alerts" warning on the SSL test. changing the config from

ServerAlias www.foo.com:443

to

ServerAlias www.foo.com

got rid of the warning for me.

Hi guys, I have a extremely stupid question to ask.

I am stuck at step 5.5, which is telling me to:
"
5. Update your webserver config to use https (examples below).
server {
listen 443;
server_name foo.com;
ssl on;
ssl_certificate /etc/ssl/certs/chained.pem;
ssl_certificate_key /etc/ssl/private/domain.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
ssl_session_cache shared:SSL:50m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_prefer_server_ciphers on;

location / {
    return 200 'Hello world!';
    add_header Content-Type text/plain;
}

}
"
I think I know how to change the template to my need (simply change foo.com to my domain name and which I have tried), but I don't know where the "webserver config" file is. I thought it was "/etc/nginx/nginx.conf", but I couldn't work it out by myself.

So, how do I perform the last step? I am with Ubuntu 14.04 x86_64 on VPS with Nginx and Vesta on my VPS. The Nginx should probably installed by Vesta automatically.

Any help will be appreciated. Thx!

Hi,

When I run Step 3 I get the following error:

Error: Domain failed. Please start back at Step 1. {"type":"urn:acme:error:badNonce","detail":"Unable to read/verify body :: JWS has invalid anti-replay nonce","status":400}

The console log shows:

[Error] Failed to load resource: the server responded with a status of 409 (HTTP/2.0 409) (new-reg, line 0)
[Error] Failed to load resource: the server responded with a status of 400 (HTTP/2.0 400) (new-authz, line 0)

console.log(JSON.stringify(ACCOUNT_PUBKEY));
console.log(JSON.stringify(CSR));
console.log(JSON.stringify(DOMAINS));
[Log] undefined
[Log] undefined
[Log] undefined

Error: Domain challenge failed. Please start back at Step 1. {"type":"urn:acme:error:malformed","detail":"Unable to read/verify body :: JWS verification error","status":400}
I tried it several times, namelookup for the domain works, I can browse it manually.

How can i generate wildcard certificate for my domain like *.abcd.om

I am at step 4 option 2, the challenge file is there (can access it with my browser) with the right content but I receive this error (X-ed my domain name):

Error: Domain challenge failed. Please start back at Step 1. {"type":"http-01","status":"invalid","error":{"type":"urn:acme:error:unknownHost","detail":"No IPv4 addresses found for XXXXX"}

My server is indeed only accessible via IPv6 and has no IPv4 address (stupid carrier-grade NAT). Apparently this is a known bug in letsencrypt: certbot/certbot#180 and certbot/certbot#1466
Until they fix that issue over there, I propose a rewrite of the error message, especially not "Please start back at Step 1" because that would be wasted time.

Unfortunately, the python-based challenge doesn't work too: I can't connect to the webserver at all. With a tweak to the python commands (via certbot/certbot#1466 (comment)) I can at least get the server to be accessible:

import BaseHTTPServer, SimpleHTTPServer, socket
h = BaseHTTPServer.BaseHTTPRequestHandler
SimpleHTTPServer.SimpleHTTPRequestHandler.extensions_map = {'': 'text/plain'}
class HttpServerV6(BaseHTTPServer.HTTPServer):
    address_family = socket.AF_INET6

h.do_GET = lambda r: r.send_response(200) or r.end_headers() or r.wfile.write(XXXXX')
s = HttpServerV6(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler)
s.serve_forever()

I can now connect to the webserver, but only to receive an Error 404 page. I have not enough experience with these python HTTPServers, but might it be possible to get the challenge to work at least with the python-based option?