13
5
I've been using openssl
to create key and certificate for my website.
Which works fine, but leads to complaints from the browser.
Now I would like to move to Let's Encrypt to get a proper certificate.
The setup was very simple, I installed certbot and followed the tutorial on their website.
I was surprised to read that certbot
is supposed to be used with a flag certonly
. Intuitively, this should mean that only a certificate is created. It should ask me for an existing key during the setup. Which is doesn't, instead, it creates both a new certificate and a new key.
sudo certbot certonly --standalone -d xxxx
...
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
....
But this key doesn't seem to exist. If I enter the path into my server, it complains about not finding the key.
I had problems with read permissions on my certificate, solved by this question: https://serverfault.com/questions/773440/lets-encrypt-ssl-certificate-file-not-found-error-but-still-working
The solution was to change access rights.
But I'm hesitant to do that with my private key. Internet security is so complex, I'm afraid I don't really know about the consequences of changing permissions regarding something as important as the private key.
How am I supposed to use the newly generated certificate. Where can I find the corresponding private key and do I have to apply additional configuration ?
Whatever is trying to use your key needs to be able to read your key. There is absolutely no way around this. – Daniel B – 2017-04-01T10:58:27.170
1Certbot's
certonly
actually means "just get a certificate but don't configure it", as opposed tocertbot run
which actually configures Apache for you. (Many users, including myself, would prefer to avoid automated configuration editing – and of course not everyone uses Apache or nginx, either.) – user1686 – 2017-04-01T11:05:26.420