Updating Let's Encrypt certs on a Raspberry Pi

2021-Nov-27, Saturday 10:33 pm
Let's Encrypt's root cert expired the end of September just gone.

For the first time since then I tried running an old python script on a Raspberry Pi. It failed with an all too familiar error message. In both python3, and with curl.

I never see these errors in my browser (because Firefox is great like that). Even when I didn't have the certs on my site fully configured it didn't matter because Firefox had the necessary root and intermediate certs.

So I tried curl on my Windows machine, and it worked, no errors. Okay, it's not the configuration of my site. It's the Raspberry Pi. I need to update its cert cache.

I found most of what I needed here. The certs I want are here. (We'll be picking up local certs, so changing into the same directory is important.)

sudo mkdir /usr/share/ca-certificates/local
cd /usr/share/ca-certificates/local

sudo wget https://letsencrypt.org/certs/isrgrootx1.pem
sudo wget https://letsencrypt.org/certs/lets-encrypt-r3.pem

sudo openssl x509 -inform PEM -in isrgrootx1.pem -outform PEM -out isrgrootx1.crt
sudo openssl x509 -inform PEM -in lets-encrypt-r3.pem -outform PEM -out lets-encrypt-r3.crt

sudo dpkg-reconfigure ca-certificates


When prompted choose 'ask'. Mark your new certs with an asterisk, choose 'ok', and wait for it to finish.

Test by trying that curl command again. All goes well, no more errors!

Great, let's try that script again. Nope! More errors. Now that our Raspberry Pi has the correct certs we need to update the python certs. Enter an interactive session and find out where it keeps these certs.
python3
import certifi
certifi.where()


It says '/home/pi/.local/lib/python3.7/site-packages/certifi/cacert.pem'. Let's replace it!

rm /home/pi/.local/lib/python3.7/site-packages/certifi/cacert.pem
cp /etc/ssl/certs/ca-certificates.crt /home/pi/.local/lib/python3.7/site-packages/certifi/cacert.pem


Test by trying that python3 script again. All goes well, no more errors! Hopefully for real this time.
Tags:
  • Add Memory
  • Share This Entry

Let's Encrypt and manually generating certs

2018-Jan-02, Tuesday 02:44 pm
Say you have a simple blog and are hosting the images yourself. You want to get an SSL cert, but the only options provided by your hosting provider are expensive and aimed at much larger sites/usage. You've heard about Let's Encrypt, but your hosting provider doesn't provide it on your package (e.g. shared hosting). But, they do provide a way for you to install SSL certs yourself.

SSL certs, the DIY way.

First, you will need a linux machine, and a way to ftp (or otherwise get files onto your website). We will be doing this manually, so we'll need to create a file at the following location (you'll be given specifics later).
/webspace/httpdocs/$site/.well-known/acme-challenge/$file is equivalent to http://$site/.well-known/acme-challenge/$file

Install certbot. I'm on Fedora so;
sudo dnf install certbot python2-certbot-apache

Run it manually;
sudo certbot certonly --manual --preferred-challenges http

You'll get a warning that your IP will be publicly logged. If this bothers you perhaps wait to run this until you have access to public internet, like a cafe, hackerspace, or even on holidays.
-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

After uploading the $file it's a good idea to view it in your browser to make sure it's working.

At the end you'll (hopefully) get a success message that tells you when the cert will expire, and where they are on your system, e.g. /etc/letsencrypt/live/$site/fullchain.pem.

With the cert generated now you'll need to manually install it. You'll need /etc/letsencrypt/live/$site/fullchain.pem and /etc/letsencrypt/live/$site/privkey.pem.

Log in through your hosting providers control panel. Hopefully they'll have instructions. Basically copy the contents of fullchain.pem and privkey.pem into the respective clipboard copy-paste fields. Save, wait a few minutes, and that's it. Your site has SSL.

At this point I copied all my images over to httpsdoc, and updated the links in my blog (for the last year, and the header image in Customize Style). Now if you visit my blog directly you shouldn't get any worrying warnings.
Tags:
  • Add Memory
  • Share This Entry

Profile

chebe: (Default)
chebe

Syndicate

RSS Atom

July 2025

M T W T F S S
 1 23456
78910111213
14151617181920
21222324252627
28293031   

Expand Cut Tags

No cut tags

Index

DW links

Style Credit