Letsencrypt.sh on Windows-#1.

Update information      Edit(Sep.19)  Edit2(Oct.26)  Edit3(2017.Jul.9)

[2017.OCt.20]    We can use mod_md in ApacheLounge 2.4.x version now, so I changed from dehydrated (former Letsencrypt.sh) to mod_md about certs updating tool. About this, see → “From dehydrate to mod_md, Let’s Encrypt Tool”.
[Oct.26]    As I use Elliptic curve Diffie–Hellman (ECDH) for kx now, I posted a new article. ☞“Letsencrypt.sh on Windows-#4”
[Sep.19]    As I had a success about the first renewal of the Let’s Encrypt Certs automatically, I posted a new article. ☞“Letsencrypt.sh on Windows-#3”
   By the way, they renamed project from letsencrypt.sh to dehydrated. So you can find the project at https://github.com/lukas2511/dehydrated/releases. Therefore, read letsencrypt.sh as dehydrated in my article.
   As I wrote, the script letsencrypt-win-simple doesn’t support the renewal of certificates on Apache Windows version still now, and the official client, that’s certbot, also doesn’t support Apache on Windows OS. So, I think I use the other script named letsencrypt.sh.

   If ‘Run native Bash on Ubuntu on Windows’ project is complete for ordinary users, you can run sh files on Windows10 easily. But now, it is not complete. Besides, my server OS is not Windows10 but Windows7, so I installed Cygwin to my server PC for letsencrypt.sh. I ran setup-x86.exe and added installing wget and apt-cyg. For HowTO, see ‘Building h2load on Cygwin’.

  1. $ apt-cyg install git
  2. $ cd /usr/local
    $ git clone https://github.com/lukas2511/letsencrypt.sh
    $ cd letsencrypt.sh
    Update files.
    $ git pull https://github.com/lukas2511/letsencrypt.sh
  3. Letsencrypt.sh requires curl. So install it.
    $ apt-cyg install curl

   The test configuration of letsencrypt.sh.

  1. Take a look [docs/wellknown.md] and [docs/domains_txt.md], and create domain.txt.
    $ cd /usr/local/letsencrypt.sh
    $ vi domain.txt
  2. Here is my domain.txt.

  3. $ cd /usr/local/letsencrypt.sh
    $ cp docs/examples/config .
    $ vi config
    Edit the next lines by vi.

     * While your testing.
     * You can set it anywhere you want with security consideration.
     * I already have data in the directory '.well-known/acme-challenge' by letsencrypt-win-simple. So I need to tell it to letsencrypt.sh.
  4. Test.
    $ cd /usr/local/letsencrypt.sh
    $ ./letsencrypt.sh -c
    You have some messages like this.

    # INFO: Using main config file /usr/local/letsencrypt.sh/config
    + Generating account key...
    + Registering account key with letsencrypt...
    Processing o6asan.com with alternative names: www.o6asan.com test.o6asan.com
     + Signing domains...
     + Generating private key...
     + Generating signing request...
     + Requesting challenge for o6asan.com...
     + Requesting challenge for www.o6asan.com...
     + Requesting challenge for test.o6asan.com...
     + Responding to challenge for o6asan.com...
     + Challenge is valid!
     + Responding to challenge for www.o6asan.com...
     + Challenge is valid!
     + Responding to challenge for test.o6asan.com...
     + Challenge is valid!
     + Requesting certificate...
     + Checking certificate...
     + Done!
     + Creating fullchain.pem...
     + Done!

    Your test certificates you can find in ${BASEDIR}/certs/YourDomain. The test ends.

   Now getting real certs.

  1. Edit the line in the config file again.
  2. Do the next.
    $ ./letsencrypt.sh -c -x
    * You need -x (–force) option because you have the fake certs in your certs directory and they are not expired. After the running, in your cert directry (${BASEDIR}/certs/YourDomain) you will find ten files like the below.

    cert.csr  cert.pem  cert-xxxxxxxxxx.csr  cert-xxxxxxxxxx.pem
    chain.pem  chain-xxxxxxxxxx.pem  fullchain.pem
    fullchain-xxxxxxxxxx.pem  privkey.pem  privkey-xxxxxxxxxx.pem
  3. $ ./letsencrypt.sh -gc
    * -gc is an option for cleanup. It moves unused certificate files to archive directory. In this case, it moves the fake certs.

   If you use Apache2.4.8 or later, you need fullchain.pem and privkey.pem. But at the point, you meet a trouble. Letsencrypt.sh gives fullchain.pem and privkey.pem as symbolic link files of LINUX. You cannot use them on Windows OS. For resolution, copy fullchain-xxxxxxxxxx.pem and privkey-xxxxxxxxxx.pem as server.crt and server.key to your server cert directory.

Run cmd.exe as Administrator.
>pushd ${BASEDIR}/certs/YourDomain
>copy /Y fullchain-xxxxxxxxxx.pem \pathto\server.crt
>copy /Y privkey-xxxxxxxxxx.pem \pathto\server.key
>x:\Apache24\bin\httpd -k stop
>x:\Apache24\bin\httpd -k start

   That’s it.

   Adding one more thing, I will write about HowTO renew certs automatically on the next post.


   About a week ago, I found an automatic renew of Let’s Encrypt certs didn’t work well. So I tried to do it by manually, and it also gave me a 403 error. When I checked up on the error, I saw the error came from the denial about the directory “.well-known/acme-challenge”. But why was it occurring suddenly? Finally, I found it was because of BPS. Its new version has more strict rules for Site Security. My “.well-known/acme-challenge” was in the Document Root which is WordPress base, and BPS denies accesses to them.

   I moved “.well-known/acme-challenge” to other Location and made a apache2.4 conf file. Its text is like the below.
Alias /.well-known/acme-challenge "/pathto/.well-known/acme-challenge/"

<Directory "/pathto/.well-known/acme-challenge/">
<IfModule mod_authz_core.c>
Require all granted

   When I commented to 「CertbotWebサーバー証明書更新エラー とApache起動不能」, I refered to 「Let’s encrypt のWeb認証に失敗する場合の許可の通し方」, by the way, the topic くりくりさん told me. The cases of 「Let’s encrypt のWeb認証に失敗する場合の許可の通し方」 and mine are very resemble. I rememberd this after it was all over. 😼

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.