{"id":819,"date":"2016-02-10T20:53:44","date_gmt":"2016-02-11T04:53:44","guid":{"rendered":"https:\/\/www.cloudinsidr.com\/content\/?p=819"},"modified":"2018-04-04T02:50:45","modified_gmt":"2018-04-04T10:50:45","slug":"how-to-use-letsencrypt-across-servers-in-manual-configuration-mode-with-a-csr","status":"publish","type":"post","link":"https:\/\/www.cloudinsidr.com\/content\/how-to-use-letsencrypt-across-servers-in-manual-configuration-mode-with-a-csr\/","title":{"rendered":"How to Use Letsencrypt across Servers in the Manual Configuration Mode with a CSR"},"content":{"rendered":"<p>Generating SSL certificates when Letsencrypt (<a href=\"https:\/\/www.cloudinsidr.com\/content\/how-to-set-up-letsencrypt-the-ssl-certificate-engine-for-the-cloud-era-of-hyperscale-on-aws-ec2\/\">what is Letsencrypt, who is behind it, and how the heck can you get started<\/a>) is available for your system works in a breeze, but what if you need your certificates for a machine that won&#8217;t take Letsencrypt (for whatever reason)? It is still possible: you can either\u00a0grab Letsencrypt from Git, or, for reasons of practicality&#8230; create a certificate signing request (CSR) on your target server, transfer it to your letsencrypt instance, generate the certificates you need, then transfer the generated files back to your target instance\u00a0and install the certificates in your software.<\/p>\n<p><!--more--><\/p>\n<h6>Step 1. Adjust the DNS configuration for your target server (the one that needs the certificates)<\/h6>\n<p>Make sure that requests to the host names that need the certificates are being routed to the IP address of your target server via an A entry. Unless an A entry is in place, letsencrypt (on your other instance) will flat-out refuse to cooperate.<\/p>\n<h6>Step 2. Adjust openssl configuration on your target server (the one that needs the certificates)<\/h6>\n<p>On the target machine (that is, on the server that will be using the certificates), navigate to the openssl configuration file <strong>openssl.cnf<\/strong> located in:<\/p>\n<pre>cd \/etc\/pki\/tls<\/pre>\n<p>Make a copy of it.<\/p>\n<pre>cp openssl.cnf openssl.cnf-original<\/pre>\n<p>Now open the original in a text editor of your choice. Enter these two lines:<\/p>\n<pre>[SAN]\r\nsubjectAltName=DNS:domainname1.tld,DNS:host.domainname1.tld,DNS:host2.domainname2.tld<\/pre>\n<p>Make sure you replace the host names (domainname1.tld, etc.) with the host names that you want to generate your certificates for.<\/p>\n<h6>Step 3. Generate the certificate signing request on the server that will be using the certificates<\/h6>\n<p>On the target server (that&#8217;s the one that needs the certificates but can&#8217;t run letsencypt), generate the certificate signing request using the config file that you modified in Step 2 above:<\/p>\n<pre>openssl req -new -newkey rsa:2048 -sha256 -nodes -keyout filename.privkey1.pem -out filename.der -outform der -subj \"\/C=US\/ST=Nevada\/L=Las Vegas\/O=domainname1.tld\" -reqexts SAN<\/pre>\n<p>Adjust the parameters as needed, especially the country, state, city, and your domain name (<span style=\"color: #ff0000;\"><span style=\"color: #000000;\">entering incorrect information constitutes a breach of the Terms of Service of Letsencrypt, so<\/span> no &#8220;test city&#8221; here!<\/span>).<\/p>\n<p>You should see a confirmation. Verify that openssl has generated two files:<br \/>\na .pem private key and a .der encoded certificate signing request (CSR). Don&#8217;t bother converting them, letsencrypt will do just fine.<\/p>\n<figure id=\"attachment_823\" aria-describedby=\"caption-attachment-823\" style=\"width: 1024px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/02\/mailcert_createCSR-01.png\" rel=\"attachment wp-att-823\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-823\" src=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/02\/mailcert_createCSR-01-1024x172.png\" alt=\"Creating a CSR in openssl\" width=\"1024\" height=\"172\" srcset=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/02\/mailcert_createCSR-01-1024x172.png 1024w, https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/02\/mailcert_createCSR-01-600x101.png 600w, https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/02\/mailcert_createCSR-01-300x50.png 300w, https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/02\/mailcert_createCSR-01-768x129.png 768w, https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/02\/mailcert_createCSR-01.png 1219w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption id=\"caption-attachment-823\" class=\"wp-caption-text\">Creating a CSR in openssl on the target\u00a0server<\/figcaption><\/figure>\n<h6>Step 4. Transfer the CSR .der file to your letsencrypt machine<\/h6>\n<p>Transfer the .der file to your letsencrypt machine. One way to do this is using rsync, another good option is FileZilla.<\/p>\n<h6>Step 5. Request your certificate files<\/h6>\n<p>On the letsencrypt machine, request your certificate files:<\/p>\n<pre>letsencrypt certonly --authenticator manual --server https:\/\/acme-v01.api.letsencrypt.org\/directory --text --email your@emailaddress.com --csr host.domain.com.der<\/pre>\n<p>Your IP will be publicly logged as having requested the certificate.<\/p>\n<p>In order to\u00a0authenticate your server, follow the onscreen instructions. You can either save an authentication file to a web server directory and serve it via http, or run a Python\u00a0script that the assistant provides, whichever seems more convenient. You should see a confirmation message announcing the path to your certificate chain.<\/p>\n<figure id=\"attachment_822\" aria-describedby=\"caption-attachment-822\" style=\"width: 1024px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/02\/mailcert_CSR-02_done.png\" rel=\"attachment wp-att-822\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-822 size-large\" src=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/02\/mailcert_CSR-02_done-1024x617.png\" alt=\"Letsencrypt: server authentication methods and a success message\" width=\"1024\" height=\"617\" srcset=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/02\/mailcert_CSR-02_done-1024x617.png 1024w, https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/02\/mailcert_CSR-02_done-600x361.png 600w, https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/02\/mailcert_CSR-02_done-300x181.png 300w, https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/02\/mailcert_CSR-02_done-768x463.png 768w, https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/02\/mailcert_CSR-02_done.png 1401w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption id=\"caption-attachment-822\" class=\"wp-caption-text\">Letsencrypt (on your letsencrypt machine): server authentication methods and a success message<\/figcaption><\/figure>\n<h6>Step 6. Transfer generated files back to the target server<\/h6>\n<p>Transfer generated files back to the target server and save them with 640 permissions. Configure your software (such as your mail server and your web server) to use the certificates, and don&#8217;t forget to renew them within 90 days!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Generating SSL certificates when Letsencrypt (what is Letsencrypt, who is behind it, and how the heck can you get started) is available for your system works in a breeze, but what if you need your certificates for a machine that won&#8217;t take Letsencrypt (for whatever reason)? It is still possible: you can either\u00a0grab Letsencrypt from [&hellip;]<\/p>\n","protected":false},"author":101011,"featured_media":76,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[16,33,111,2,6],"tags":[112,113,38],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v14.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to Use Letsencrypt across Servers in the Manual Configuration Mode with a CSR - CloudInsidr<\/title>\n<meta name=\"robots\" content=\"index, follow\" \/>\n<meta name=\"googlebot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta name=\"bingbot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cloudinsidr.com\/content\/how-to-use-letsencrypt-across-servers-in-manual-configuration-mode-with-a-csr\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to Use Letsencrypt across Servers in the Manual Configuration Mode with a CSR - CloudInsidr\" \/>\n<meta property=\"og:description\" content=\"Generating SSL certificates when Letsencrypt (what is Letsencrypt, who is behind it, and how the heck can you get started) is available for your system works in a breeze, but what if you need your certificates for a machine that won&#8217;t take Letsencrypt (for whatever reason)? It is still possible: you can either\u00a0grab Letsencrypt from [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cloudinsidr.com\/content\/how-to-use-letsencrypt-across-servers-in-manual-configuration-mode-with-a-csr\/\" \/>\n<meta property=\"og:site_name\" content=\"CloudInsidr\" \/>\n<meta property=\"article:published_time\" content=\"2016-02-11T04:53:44+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2018-04-04T10:50:45+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2015\/11\/cloudinsidr_logo_900px-wide.png\" \/>\n\t<meta property=\"og:image:width\" content=\"900\" \/>\n\t<meta property=\"og:image:height\" content=\"326\" \/>\n<meta name=\"twitter:card\" content=\"summary\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#website\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/\",\"name\":\"CloudInsidr\",\"description\":\"Cyber security, infotech\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/www.cloudinsidr.com\/content\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/how-to-use-letsencrypt-across-servers-in-manual-configuration-mode-with-a-csr\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2015\/11\/cloudinsidr_logo_900px-wide.png\",\"width\":900,\"height\":326,\"caption\":\"cloudinsidr.com logo (900px wide)\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/how-to-use-letsencrypt-across-servers-in-manual-configuration-mode-with-a-csr\/#webpage\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/how-to-use-letsencrypt-across-servers-in-manual-configuration-mode-with-a-csr\/\",\"name\":\"How to Use Letsencrypt across Servers in the Manual Configuration Mode with a CSR - CloudInsidr\",\"isPartOf\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/how-to-use-letsencrypt-across-servers-in-manual-configuration-mode-with-a-csr\/#primaryimage\"},\"datePublished\":\"2016-02-11T04:53:44+00:00\",\"dateModified\":\"2018-04-04T10:50:45+00:00\",\"author\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#\/schema\/person\/21ce63bea726ea64da1beed97e63ba84\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cloudinsidr.com\/content\/how-to-use-letsencrypt-across-servers-in-manual-configuration-mode-with-a-csr\/\"]}]},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#\/schema\/person\/21ce63bea726ea64da1beed97e63ba84\",\"name\":\"Anna E Kobylinska\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/7a3e9bd152f9d5cd41bf2b92df649857?s=96&d=mm&r=g\",\"caption\":\"Anna E Kobylinska\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/819"}],"collection":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/users\/101011"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/comments?post=819"}],"version-history":[{"count":11,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/819\/revisions"}],"predecessor-version":[{"id":1809,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/819\/revisions\/1809"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/media\/76"}],"wp:attachment":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/media?parent=819"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/categories?post=819"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/tags?post=819"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}