Skip to content

Instantly share code, notes, and snippets.

@polettix
Created October 1, 2016 13:50
Show Gist options
  • Save polettix/e8007a7f2064e7f133d93e060032a880 to your computer and use it in GitHub Desktop.
Save polettix/e8007a7f2064e7f133d93e060032a880 to your computer and use it in GitHub Desktop.

When you set Let's Encrypt up, you will:

  • generate a key on your computer (among other things), which we will call domain.key
  • regularly update a certificate file via Let's Encrypt (most probably using one of the Acme Client Implementations), we will call this file domain.crt

The domain.key file is for your eyes only; you should keep it safe where you run taskd and set server.key to point to it.

The domain.crt file actually contains two certificates: one is for your domain, signed by Let's Encrypt; the other one is a CA intermediate file that tells the world Let's Encrypt is entitled to sign certificates, and it is signed by a "major" CA whose certificate is widespread across browsers/libraries.

For example, this is what I get for polettix.it (I removed some lines inside the certificate):

-----BEGIN CERTIFICATE-----
MIIGNTCCBR2gAwIBAgISAyzjWXqpc+XbdY5msxk1ePBhMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjA4MTUyMjEwMDBaFw0x
NjExMTMyMjEwMDBaMBYxFDASBgNVBAMTC3BvbGV0dGl4Lml0MIICIjANBgkqhkiG
9w0BAQEFAAOCAg8AMIICCgKCAgEAusStlvvKLfyyArC7Qs3j7Bis8JSuPS8gGqm8
DWD10Dp2LfudHe4zElYZ8N2JhT7fnyJacdK/vnp978XDhO8qyc170voA3/uvZa/q
orazl1dysqqKyD0BKkBThAXuNnCXKH88BS1mRjq5Bt+gj8WQbq+We21nZ9NvMuAK
dm3bq9hG1utEYQjKWF4f//V3wY7upNTqkjSKcsh0Q3BZsz+wJfcfIczDbFfJC5nT
+MVrq85nMAPq9wdudPclxepZwMQ2Ou1fzBn9BxxuSiD6t8uM1jxHXP7AV1iFlqt7
6qlnKhnyKl3Si/RZ4KWwv7TMxL/J5aYveIdJxwb3+C/FY1nepJ+FGj2JpiWAJfXS
8uTIaJeh5DUuWp8rlxz+ahd1/UyafO/x9I+/lsfcIuJvx1FCmajOLxTbWdvJIYAS
GVkHvL1FPU0ZlBUd4bs35/vHxFr9W4M3tG1g5GD0/eengWVHt1r10++XoyyrJREg
rc1cW5GlHJN5xkQZNkiHipyEP8yHexYv+y8xknl3MinAP3CO9iQzKTJxGyDOc2Sq
mTZ63Rs/ExpoP10KsVv28Bj8DzBq5Ueei47mxCOzYtUja6/37Kea2jbnd0zj0s3i
28EpskI2P9/uT3FmwM3kWZpqjakkQHDM8Uucw19Mhy7Lp0IMOpuNJMznNSCnzynL
Jo8yStECAwEAAaOCAkcwggJDMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUEd6Rsjy8
dxj1+/Hk+WMK0KtZcOQwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEw
cAYIKwYBBQUHAQEEZDBiMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMu
bGV0c2VuY3J5cHQub3JnLzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgz
LmxldHNlbmNyeXB0Lm9yZy8wUQYDVR0RBEowSIISZmxhdmlvLnBvbGV0dGl4Lml0
ggtwb2xldHRpeC5pdIIHc2luai5pdIIPd3d3LnBvbGV0dGl4Lml0ggt3d3cuc2lu
ai5pdDCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYw
JgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEF
BQcCAjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVw
b24gYnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0
aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2Vu
Y3J5cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQAA3jUihVI9
MfTZJEePQBvCUMjrGP1/ikfWUE2iKVVSzeu5bEs1NFW00HVTQXMKNR7LNiI0j9zD
HIkMvNG9ltamAjY9+NdGN98rlMveuZxx8quPYsQ8U6W2cTUna6DxMNTVnIvi4rRV
TgOWru2wG7n+U9BjeOT/7p+MzI+TPb/N2TMNua7XFn/vmp/qL7NAMFQ7R1C9CTOQ
l/ACM5i3e5MshSn8pg9EQNYDsr5MoUySLZtkJIegIP1zvNU9Yl0nvNoa+f4c97C0
AUD5pOlsXXuFidxtdN6ey7iA+SgLE+ZEZWfC9x1szEx6qlY0ErIi0ywE/lWOTGfO
Dhyov1fiSseU
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

On the server side, you can just point server.cert to point to where domain.crt is located.

On the client side, you have to take the second certificate from the file, save in a file of its own (e.g. letsencrypt-ca.crt) and configure it as taskd.ca:

sed -n '1d;/BEGIN/,/END/p' domain.crt > letsencrypt-ca.crt
task config --force taskd.ca "$PWD/letsencrypt-ca.crt"

If you don't have domain.crt in your client machine (it's a server-side file after all), but you already set taskd properly, then you can do the following on the client machine to generate letsencrypt-ca.crt:

gnutls-cli --print-cert -p 53589 domain.example.com </dev/zero \
| sed -n '/BEGIN/,/END/p' \
| sed -n '1d;/BEGIN/,/END/p' \
> letsencrypt-ca.crt

My sed-fu is a bit weak, so I decided to do the filtering in two steps, the first to isolate the certificates, the second to remove the first certificate and keep the second one.

The last command above can be useful to update file letsencrypt-ca.crt when needed (because it's a certificate that will eventually expire).

Summing up:

  • generate a key domain.key

  • setup a client for Let's Encrypt to get a certificate domain.crt

  • extract letsencrypt-ca.crt from domain.crt, either directly or using gnutls-cli and some sed magic

  • do the following configurations on the server:

      taskd config --force server.key  /path/to/domain.key
      taskd config --force server.cert /path/to/domain.crt
    
  • do the folloiwing configuration on the client:

      task config --force taskd.ca /path/to/letsencrypt-ca.crt
    
@kwisatz
Copy link

kwisatz commented Feb 10, 2020

Never mind, just saw that /etc/letsencrypt/archive is readable by root only.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment