Comments (15)
diafygi
commented on July 21, 2024
It appears that the official client still requires root access to the local computer. Are there options that I'm missing?
$ ./venv/bin/letsencrypt --authenticator manual auth --csr ~/Desktop/domain.csr
Traceback (most recent call last):
File "./venv/bin/letsencrypt", line 9, in <module>
load_entry_point('letsencrypt==0.1', 'console_scripts', 'letsencrypt')()
File "/tmp/letsencrypt/letsencrypt/cli.py", line 689, in main
directory, constants.CONFIG_DIRS_MODE, os.geteuid())
File "/tmp/letsencrypt/letsencrypt/le_util.py", line 31, in make_or_verify_dir
os.makedirs(directory, mode)
File "/tmp/letsencrypt/venv/lib/python2.7/os.py", line 157, in makedirs
mkdir(name, mode)
OSError: [Errno 13] Permission denied: '/etc/letsencrypt'
from acme-nosudo.
jdkasten
commented on July 21, 2024
Hi @diafygi, this problem is related to certbot/certbot#552. More work needs to be done here.
If you specify a user controlled config directory / working directory it will avoid the problems.
from acme-nosudo.
diafygi
commented on July 21, 2024
Ok, added them. Now hitting another error. File a bug report?
$ ./venv/bin/letsencrypt --debug --authenticator manual --work-dir /tmp/work/ --config-dir /tmp/config/ --logs-dir /tmp/logs/ auth --csr ~/Desktop/domain.csr
...<enter an email into the GUI and accept the terms>...
Traceback (most recent call last):
File "./venv/bin/letsencrypt", line 9, in <module>
load_entry_point('letsencrypt==0.1', 'console_scripts', 'letsencrypt')()
File "/tmp/letsencrypt/letsencrypt/cli.py", line 707, in main
handle_exception_common()
File "/tmp/letsencrypt/letsencrypt/cli.py", line 702, in main
return main2(cli_args, args, config, plugins)
File "/tmp/letsencrypt/letsencrypt/cli.py", line 675, in main2
return args.func(args, config, plugins)
File "/tmp/letsencrypt/letsencrypt/cli.py", line 189, in auth
file=args.csr[0], data=args.csr[1], form="der"))
File "/tmp/letsencrypt/letsencrypt/client.py", line 179, in obtain_certificate_from_csr
csr.data, OpenSSL.crypto.FILETYPE_ASN1), csr)
File "/tmp/letsencrypt/letsencrypt/crypto_util.py", line 311, in get_sans_from_csr
csr, OpenSSL.crypto.load_certificate_request, typ)
File "/tmp/letsencrypt/letsencrypt/crypto_util.py", line 279, in _get_sans_from_cert_or_req
cert_or_req = load_func(typ, cert_or_req_str)
File "/tmp/letsencrypt/venv/local/lib/python2.7/site-packages/OpenSSL/crypto.py", line 2380, in load_certificate_request
_raise_current_error()
File "/tmp/letsencrypt/venv/local/lib/python2.7/site-packages/OpenSSL/_util.py", line 48, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.crypto.Error: [('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'wrong tag'), ('asn1 encoding routines', 'ASN1_ITEM_EX_D2I', 'nested asn1 error')]
from acme-nosudo.
kuba
commented on July 21, 2024
./venv/bin/letsencrypt --config-dir /tmp/le/conf --work-dir /tmp/le/work --logs-dir /tmp/le/logs --authenticator manual auth --csr csr.der should do the job
if you don't feel like typing this over again:
cat <<EOF >letsencrypt.conf
config-dir = /tmp/le/conf
work-dir = /tmp/le/work
logs-dir = /tmp/le/logs
authenticator = manual
EOF
letsencrypt -c letsencrypt.conf auth --csr csr.der
letsencrypt --help will reveal that --csr accepts DER, not PEM, hence your error
from acme-nosudo.
kuba
commented on July 21, 2024
Sorry, you actually won't see the help :( certbot/certbot#577
from acme-nosudo.
diafygi
commented on July 21, 2024
Woo! Got it!
$ openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -outform DER -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:daylightpirates.org,DNS:www.daylightpirates.org")) > ~/Desktop/domain.csr
$ openssl req -text -noout -inform DER -in domain.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject:
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:a7:61:e4:22:06:ef:1f:c5:37:c7:92:b8:e5:a5:
cd:29:c4:f1:f1:ad:7f:43:e2:c2:dd:7f:b7:70:77:
e0:29:d4:fb:ec:79:b7:44:b2:96:b5:9e:f6:21:74:
35:52:15:98:35:e2:74:d9:85:bd:10:79:bc:9f:a6:
5b:44:f4:c8:18:02:24:3c:62:5e:19:85:7f:d5:a9:
38:c7:34:9f:7e:9a:2e:6f:af:50:6c:9a:69:c9:94:
ca:90:41:fd:1c:30:2c:61:14:5f:33:97:8c:18:52:
9a:5d:75:83:30:02:68:3c:1e:c8:69:f6:db:80:85:
f1:99:ed:33:92:9c:32:98:b7:79:61:1d:81:70:e0:
7d:46:dd:35:da:58:69:c0:62:a6:a3:6d:bf:32:15:
4b:8b:78:7a:91:7d:0e:e2:2c:d6:e2:17:4f:81:c4:
9a:89:b7:52:71:6d:28:11:28:6e:4e:f5:86:8d:aa:
08:45:a6:2b:21:51:92:99:f7:c1:d9:b2:d8:92:08:
32:f5:50:74:23:5a:5f:c9:e9:40:c8:c0:10:31:00:
16:0e:07:e6:0d:20:e1:e3:38:97:11:ee:b3:51:f0:
ce:8a:fe:68:7e:eb:ca:f3:ef:96:44:c7:43:7c:67:
89:88:77:3c:a6:77:c0:a0:a8:d7:26:17:bf:b0:d9:
97:e0:12:15:29:bc:9e:c0:21:df:92:b9:01:01:fd:
70:49:3a:cc:65:c6:44:77:0a:10:a2:06:7f:10:c9:
07:ee:9e:78:96:59:b7:29:13:c6:28:7f:e0:e0:e3:
34:7b:5a:0b:f0:64:bd:d5:cc:9a:9c:47:0b:67:0d:
e3:2c:24:14:71:9f:a3:fe:50:37:6c:11:d1:b5:c8:
ef:f0:73:68:41:ac:0d:67:a9:58:33:00:25:3c:dc:
5a:9d:72:b2:81:dc:7c:04:d4:41:49:9d:a4:96:3d:
13:38:32:f7:19:2b:3a:7e:4d:57:03:4c:23:d1:e2:
03:e8:c0:1e:02:32:e4:7f:b3:b2:96:13:dd:db:15:
f1:b7:ea:36:4a:cf:cd:0c:ba:38:ba:2c:0f:71:95:
7a:3d:b3:3f:4a:01:6c:58:b0:0d:c9:59:79:9b:1e:
a2:65:e7:22:ea:ed:ea:25:f5:c3:77:da:7c:ed:0f:
e0:34:a1:25:46:94:8a:31:4c:8c:18:f6:c1:ee:e4:
03:81:83:db:ad:a1:66:da:8b:5a:91:5a:02:63:a3:
c8:c2:ab:1a:b8:c5:5e:4b:7a:7f:dc:95:88:bd:97:
96:c8:4a:be:b6:24:f9:af:44:64:90:9f:79:82:68:
a2:0d:b5:f7:19:fa:60:1a:c9:22:dd:02:e0:b5:f6:
ee:da:63
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:daylightpirates.org, DNS:www.daylightpirates.org
Signature Algorithm: sha256WithRSAEncryption
56:28:8e:b0:01:f6:d6:04:9a:fc:be:1e:c0:5b:8f:5e:76:1e:
4b:4e:f8:8f:fd:b7:ae:43:c0:5c:a8:c3:7a:06:cc:f8:33:24:
fc:16:44:f5:67:c3:e5:7e:05:41:7d:c3:bc:31:9b:6b:cd:92:
d4:45:86:98:cf:23:31:72:49:fb:85:4f:01:1d:be:d2:47:dd:
8e:cb:a5:6d:11:55:a8:bc:45:09:9c:e3:c5:8e:75:49:05:96:
50:9a:74:b6:59:ed:e6:ce:38:c1:d1:4d:34:00:f6:59:3a:28:
47:39:40:fe:c9:22:6f:74:39:ac:f6:e4:a9:42:fd:12:b6:5d:
f5:65:6e:02:28:9d:1c:f5:2a:ca:1f:5e:b3:99:6a:14:88:d2:
d9:eb:71:d5:3d:68:76:fe:c9:04:e1:3f:c8:e9:a5:9d:5f:01:
ff:e2:0c:90:e6:43:57:21:45:e2:1b:0a:5a:24:68:58:0f:04:
a6:8e:bb:c5:2b:d2:4b:0c:8b:bb:be:8f:c9:bb:29:95:d8:38:
ed:30:b4:e1:28:df:cb:12:ab:d4:0f:ae:8f:9e:6c:e0:4d:c1:
a7:e4:a6:4f:e9:a7:da:3d:5a:56:94:a3:61:a6:26:04:52:d3:
e5:6c:ca:ff:16:91:13:01:a3:99:e4:1c:99:7b:07:88:80:78:
2e:3b:ca:13:e4:d3:50:ed:ac:15:db:0d:c2:ab:5c:8f:6f:63:
c3:7d:b5:59:94:bd:b1:2f:ea:1b:de:32:07:60:ff:dc:68:13:
4b:17:93:59:a1:9f:ac:99:e0:b7:6f:80:10:10:b0:02:c4:c5:
43:e7:fd:14:49:81:5d:88:95:db:68:24:66:b6:9d:c3:86:53:
57:dd:5e:9e:4e:84:fe:3d:95:84:58:10:4f:8b:3a:38:37:32:
14:9e:41:fb:5b:4c:ec:46:c3:6a:11:d4:18:ba:5d:49:7b:74:
c1:2e:42:d9:1c:fa:32:6a:85:7a:d7:16:00:db:47:b6:a3:ef:
4e:cb:c2:2f:b1:c5:70:a0:ff:73:a3:fe:fc:4a:ad:68:35:2f:
12:00:4c:8e:bb:46:1b:86:ba:27:e3:15:e0:e9:c1:b0:d3:79:
c5:da:77:c6:5b:bb:87:da:17:08:83:49:ca:31:b3:0f:b6:02:
4d:73:b5:5c:16:d1:ef:f2:bc:05:03:8a:f6:04:d3:82:10:bc:
9f:77:1d:4e:55:e5:40:ee:34:10:de:f6:5b:f5:9f:ca:34:81:
c9:79:74:6b:55:be:9f:66:8a:1b:40:84:63:69:75:cb:9e:91:
e7:29:d2:fb:6b:94:7a:97:3c:b5:5c:93:52:42:d9:c4:c0:f5:
fe:1b:a4:f4:fd:83:c4:dc
$ ./venv/bin/letsencrypt --debug --agree-eula --email [email protected] --text --no-simple-http-tls --authenticator manual --work-dir /tmp/work/ --config-dir /tmp/config/ --logs-dir /tmp/logs/ auth --cert-path /tmp/certs/ --chain-path /tmp/chains/ --csr ~/Desktop/domain.csr
...<followed instructions>...
$ openssl x509 -text -in /tmp/certs/0000_ -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:00:00:00:00:00:01:20:37:30:9d:56:0a:ed:ea:92
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=happy hacker fake CA
Validity
Not Before: Jun 30 16:55:00 2015 GMT
Not After : Sep 28 16:55:00 2015 GMT
Subject: CN=daylightpirates.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:a7:61:e4:22:06:ef:1f:c5:37:c7:92:b8:e5:a5:
cd:29:c4:f1:f1:ad:7f:43:e2:c2:dd:7f:b7:70:77:
e0:29:d4:fb:ec:79:b7:44:b2:96:b5:9e:f6:21:74:
35:52:15:98:35:e2:74:d9:85:bd:10:79:bc:9f:a6:
5b:44:f4:c8:18:02:24:3c:62:5e:19:85:7f:d5:a9:
38:c7:34:9f:7e:9a:2e:6f:af:50:6c:9a:69:c9:94:
ca:90:41:fd:1c:30:2c:61:14:5f:33:97:8c:18:52:
9a:5d:75:83:30:02:68:3c:1e:c8:69:f6:db:80:85:
f1:99:ed:33:92:9c:32:98:b7:79:61:1d:81:70:e0:
7d:46:dd:35:da:58:69:c0:62:a6:a3:6d:bf:32:15:
4b:8b:78:7a:91:7d:0e:e2:2c:d6:e2:17:4f:81:c4:
9a:89:b7:52:71:6d:28:11:28:6e:4e:f5:86:8d:aa:
08:45:a6:2b:21:51:92:99:f7:c1:d9:b2:d8:92:08:
32:f5:50:74:23:5a:5f:c9:e9:40:c8:c0:10:31:00:
16:0e:07:e6:0d:20:e1:e3:38:97:11:ee:b3:51:f0:
ce:8a:fe:68:7e:eb:ca:f3:ef:96:44:c7:43:7c:67:
89:88:77:3c:a6:77:c0:a0:a8:d7:26:17:bf:b0:d9:
97:e0:12:15:29:bc:9e:c0:21:df:92:b9:01:01:fd:
70:49:3a:cc:65:c6:44:77:0a:10:a2:06:7f:10:c9:
07:ee:9e:78:96:59:b7:29:13:c6:28:7f:e0:e0:e3:
34:7b:5a:0b:f0:64:bd:d5:cc:9a:9c:47:0b:67:0d:
e3:2c:24:14:71:9f:a3:fe:50:37:6c:11:d1:b5:c8:
ef:f0:73:68:41:ac:0d:67:a9:58:33:00:25:3c:dc:
5a:9d:72:b2:81:dc:7c:04:d4:41:49:9d:a4:96:3d:
13:38:32:f7:19:2b:3a:7e:4d:57:03:4c:23:d1:e2:
03:e8:c0:1e:02:32:e4:7f:b3:b2:96:13:dd:db:15:
f1:b7:ea:36:4a:cf:cd:0c:ba:38:ba:2c:0f:71:95:
7a:3d:b3:3f:4a:01:6c:58:b0:0d:c9:59:79:9b:1e:
a2:65:e7:22:ea:ed:ea:25:f5:c3:77:da:7c:ed:0f:
e0:34:a1:25:46:94:8a:31:4c:8c:18:f6:c1:ee:e4:
03:81:83:db:ad:a1:66:da:8b:5a:91:5a:02:63:a3:
c8:c2:ab:1a:b8:c5:5e:4b:7a:7f:dc:95:88:bd:97:
96:c8:4a:be:b6:24:f9:af:44:64:90:9f:79:82:68:
a2:0d:b5:f7:19:fa:60:1a:c9:22:dd:02:e0:b5:f6:
ee:da:63
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
68:31:B1:F9:95:2D:C4:85:A4:EA:FA:B8:F1:B3:9B:97:ED:7A:A4:27
X509v3 Authority Key Identifier:
keyid:FB:78:4F:12:F9:60:15:83:2C:9F:17:7F:34:19:B3:2E:36:EA:41:89
Authority Information Access:
OCSP - URI:http://ocsp.int-x1.letsencrypt.org
CA Issuers - URI:http://cert.int-x1.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:daylightpirates.org, DNS:www.daylightpirates.org
X509v3 Certificate Policies:
0...0...g.....07..+..........0(0&..+.........http://cps.letsencrypt.org0....+..........0..0....+..........This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/documents/
Signature Algorithm: sha256WithRSAEncryption
2a:0f:4d:83:38:e0:d7:6b:d9:74:ed:9b:ba:3e:aa:49:c1:05:
9a:33:c3:24:e5:8f:7d:68:59:1a:13:48:dd:43:6f:4b:4c:b9:
23:d1:e5:15:b1:ef:ec:be:b0:cf:f3:9f:72:73:cd:ff:8e:4c:
fb:4c:cf:4d:ba:08:e4:7c:2a:83:65:22:7e:0d:03:cf:5c:a0:
a3:2b:df:d0:fa:3b:7f:2b:78:bb:46:18:0e:b0:4f:a6:53:20:
49:59:79:ec:8a:46:51:16:25:05:89:49:66:c5:13:e6:43:1d:
5b:a7:8d:7f:c8:69:98:f2:0f:5c:e9:3a:71:0c:c6:21:c7:59:
ec:4d:f7:7a:19:c4:74:4a:c9:b6:b5:59:ba:9a:75:1e:ba:f7:
ec:f4:01:9b:6a:7a:b8:36:98:08:86:d0:8f:ab:f1:9f:5b:b3:
99:a8:2c:1c:2d:03:47:b6:48:35:08:72:16:fb:6e:78:54:7a:
3f:e7:d0:c8:b0:94:e0:1d:d2:cd:b6:9f:a2:27:d5:ef:67:58:
4c:4a:51:0f:68:a6:74:a9:88:d9:e6:7d:0f:7c:a1:2a:e1:5a:
76:8d:28:43:b1:13:8f:ab:45:ed:b6:6b:d5:2d:93:d8:83:46:
e2:9d:36:12:f6:32:34:ec:47:e2:6e:ae:1e:b5:57:0d:07:37:
46:14:ae:cb
from acme-nosudo.
diafygi
commented on July 21, 2024
Will work on writing an update to give instructions on how to do this.
from acme-nosudo.
kuba
commented on July 21, 2024
It would be great to have it in the official client docs (https://github.com/letsencrypt/letsencrypt/tree/master/docs) :). Also, you might find our generate-csr.sh script handy.
from acme-nosudo.
diafygi
commented on July 21, 2024
@kuba to clarify, does the manual authenticator still need to access your private keys?
from acme-nosudo.
kuba
commented on July 21, 2024
Since certbot/certbot#504 (June 25), client does not need access to certificate keys.
from acme-nosudo.
diafygi
commented on July 21, 2024
Gotcha, ok, so it still needs access to the account private keys?
from acme-nosudo.
pcoutin
commented on July 21, 2024
This still has less dependencies, no?
On Debian 7, with the "encryption" python package, and doing import OpenSSL breaks with ImportError: /home/../.local/share/letsencrypt/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/_openssl.so: undefined symbol: SSL_CTX_set_alpn_protos making letsencrypt unusable
from acme-nosudo.
abl
commented on July 21, 2024
letsencrypt-nosudo is also really nice on FreeBSD shared hosting.
from acme-nosudo.
101100
commented on July 21, 2024
The simplicity of this script makes it both a great tool to try out Let's Encrypt with less hassle (no wonky virtualenv that slows down executing the script every time) while also providing a very clear picture of how the process works for people who are more curious about the process.
from acme-nosudo.
kuba
commented on July 21, 2024
FTR, you might all like https://github.com/kuba/simp_le :)
from acme-nosudo.
Related Issues (20)
- Will there be a protocol V2 update? HOT 1
- Cannot create certificates for v6-only hosts HOT 1
- ModuleNotFoundError: No module named 'urllib2' HOT 4
- > (I might be quite wrong with all the following, it's mostly an observation)
- what does this error mean? HOT 1
- Syntax error or user error??? HOT 2
- Python script does not work for IPv6 HOT 1
- agreement url changed HOT 1
- Stopped working in Windows HOT 1
- issue with rsa -in user.key -pubout > user.pub HOT 1
- Steps produce two certificates ? HOT 2
- Renewal fails with error HOT 2
- Syntax error in: pub_exp = "0{0}".format(pub_exp) if len(pub_exp) % 2 else pub_exp HOT 2
- Dadanationnonprofit HOT 1
- Does this script also record IP address? HOT 1
- Spurious bad-nonce replies from letsencrypt, cause repeated script fail HOT 3
- Action required: Let's Encrypt subscriber agreement URL Change HOT 3
- acme registration id? HOT 1
- sign_csr.py fails on debian stretch with OpenSSL 1.1.0f 25 May 2017 HOT 2
- Please rename project HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acme-nosudo.