Official client supports CSRs and manual mode!

[kuba]

Now, that certbot/certbot#504 (CSRs) and certbot/certbot#502 (manual authenticator) are merged in, official Let's Encrypt client provides the same features as letsencrypt-nosudo! You can try it out by running letsencrypt --authenticator manual auth --csr csr.der. To use simpleHttp challenge without TLS use --no-simple-http-tls.

Please consider adding appropriate notice to your project. You are all more than welcome to contribute "upstream"! :)

cc: @diafygi, @jdkasten

[diafygi]

It appears that the official client still requires root access to the local computer. Are there options that I'm missing?

$ ./venv/bin/letsencrypt --authenticator manual auth --csr ~/Desktop/domain.csr
Traceback (most recent call last):
  File "./venv/bin/letsencrypt", line 9, in <module>
    load_entry_point('letsencrypt==0.1', 'console_scripts', 'letsencrypt')()
  File "/tmp/letsencrypt/letsencrypt/cli.py", line 689, in main
    directory, constants.CONFIG_DIRS_MODE, os.geteuid())
  File "/tmp/letsencrypt/letsencrypt/le_util.py", line 31, in make_or_verify_dir
    os.makedirs(directory, mode)
  File "/tmp/letsencrypt/venv/lib/python2.7/os.py", line 157, in makedirs
    mkdir(name, mode)
OSError: [Errno 13] Permission denied: '/etc/letsencrypt'

[jdkasten]

Hi @diafygi, this problem is related to certbot/certbot#552. More work needs to be done here.

If you specify a user controlled config directory / working directory it will avoid the problems.

[diafygi]

Ok, added them. Now hitting another error. File a bug report?

$ ./venv/bin/letsencrypt --debug --authenticator manual --work-dir /tmp/work/ --config-dir /tmp/config/ --logs-dir /tmp/logs/ auth --csr ~/Desktop/domain.csr

...<enter an email into the GUI and accept the terms>...

Traceback (most recent call last):
  File "./venv/bin/letsencrypt", line 9, in <module>
    load_entry_point('letsencrypt==0.1', 'console_scripts', 'letsencrypt')()
  File "/tmp/letsencrypt/letsencrypt/cli.py", line 707, in main
    handle_exception_common()
  File "/tmp/letsencrypt/letsencrypt/cli.py", line 702, in main
    return main2(cli_args, args, config, plugins)
  File "/tmp/letsencrypt/letsencrypt/cli.py", line 675, in main2
    return args.func(args, config, plugins)
  File "/tmp/letsencrypt/letsencrypt/cli.py", line 189, in auth
    file=args.csr[0], data=args.csr[1], form="der"))
  File "/tmp/letsencrypt/letsencrypt/client.py", line 179, in obtain_certificate_from_csr
    csr.data, OpenSSL.crypto.FILETYPE_ASN1), csr)
  File "/tmp/letsencrypt/letsencrypt/crypto_util.py", line 311, in get_sans_from_csr
    csr, OpenSSL.crypto.load_certificate_request, typ)
  File "/tmp/letsencrypt/letsencrypt/crypto_util.py", line 279, in _get_sans_from_cert_or_req
    cert_or_req = load_func(typ, cert_or_req_str)
  File "/tmp/letsencrypt/venv/local/lib/python2.7/site-packages/OpenSSL/crypto.py", line 2380, in load_certificate_request
    _raise_current_error()
  File "/tmp/letsencrypt/venv/local/lib/python2.7/site-packages/OpenSSL/_util.py", line 48, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.crypto.Error: [('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'wrong tag'), ('asn1 encoding routines', 'ASN1_ITEM_EX_D2I', 'nested asn1 error')]

[kuba]

./venv/bin/letsencrypt --config-dir /tmp/le/conf --work-dir /tmp/le/work --logs-dir /tmp/le/logs --authenticator manual auth --csr csr.der should do the job

if you don't feel like typing this over again:

cat <<EOF >letsencrypt.conf
config-dir = /tmp/le/conf
work-dir = /tmp/le/work
logs-dir = /tmp/le/logs
authenticator = manual
EOF
letsencrypt -c letsencrypt.conf auth --csr csr.der

letsencrypt --help will reveal that --csr accepts DER, not PEM, hence your error

[kuba]

Sorry, you actually won't see the help :( certbot/certbot#577

[diafygi]

Woo! Got it!

$ openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -outform DER -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:daylightpirates.org,DNS:www.daylightpirates.org")) > ~/Desktop/domain.csr

$ openssl req -text -noout -inform DER -in domain.csr 
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: 
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:a7:61:e4:22:06:ef:1f:c5:37:c7:92:b8:e5:a5:
                    cd:29:c4:f1:f1:ad:7f:43:e2:c2:dd:7f:b7:70:77:
                    e0:29:d4:fb:ec:79:b7:44:b2:96:b5:9e:f6:21:74:
                    35:52:15:98:35:e2:74:d9:85:bd:10:79:bc:9f:a6:
                    5b:44:f4:c8:18:02:24:3c:62:5e:19:85:7f:d5:a9:
                    38:c7:34:9f:7e:9a:2e:6f:af:50:6c:9a:69:c9:94:
                    ca:90:41:fd:1c:30:2c:61:14:5f:33:97:8c:18:52:
                    9a:5d:75:83:30:02:68:3c:1e:c8:69:f6:db:80:85:
                    f1:99:ed:33:92:9c:32:98:b7:79:61:1d:81:70:e0:
                    7d:46:dd:35:da:58:69:c0:62:a6:a3:6d:bf:32:15:
                    4b:8b:78:7a:91:7d:0e:e2:2c:d6:e2:17:4f:81:c4:
                    9a:89:b7:52:71:6d:28:11:28:6e:4e:f5:86:8d:aa:
                    08:45:a6:2b:21:51:92:99:f7:c1:d9:b2:d8:92:08:
                    32:f5:50:74:23:5a:5f:c9:e9:40:c8:c0:10:31:00:
                    16:0e:07:e6:0d:20:e1:e3:38:97:11:ee:b3:51:f0:
                    ce:8a:fe:68:7e:eb:ca:f3:ef:96:44:c7:43:7c:67:
                    89:88:77:3c:a6:77:c0:a0:a8:d7:26:17:bf:b0:d9:
                    97:e0:12:15:29:bc:9e:c0:21:df:92:b9:01:01:fd:
                    70:49:3a:cc:65:c6:44:77:0a:10:a2:06:7f:10:c9:
                    07:ee:9e:78:96:59:b7:29:13:c6:28:7f:e0:e0:e3:
                    34:7b:5a:0b:f0:64:bd:d5:cc:9a:9c:47:0b:67:0d:
                    e3:2c:24:14:71:9f:a3:fe:50:37:6c:11:d1:b5:c8:
                    ef:f0:73:68:41:ac:0d:67:a9:58:33:00:25:3c:dc:
                    5a:9d:72:b2:81:dc:7c:04:d4:41:49:9d:a4:96:3d:
                    13:38:32:f7:19:2b:3a:7e:4d:57:03:4c:23:d1:e2:
                    03:e8:c0:1e:02:32:e4:7f:b3:b2:96:13:dd:db:15:
                    f1:b7:ea:36:4a:cf:cd:0c:ba:38:ba:2c:0f:71:95:
                    7a:3d:b3:3f:4a:01:6c:58:b0:0d:c9:59:79:9b:1e:
                    a2:65:e7:22:ea:ed:ea:25:f5:c3:77:da:7c:ed:0f:
                    e0:34:a1:25:46:94:8a:31:4c:8c:18:f6:c1:ee:e4:
                    03:81:83:db:ad:a1:66:da:8b:5a:91:5a:02:63:a3:
                    c8:c2:ab:1a:b8:c5:5e:4b:7a:7f:dc:95:88:bd:97:
                    96:c8:4a:be:b6:24:f9:af:44:64:90:9f:79:82:68:
                    a2:0d:b5:f7:19:fa:60:1a:c9:22:dd:02:e0:b5:f6:
                    ee:da:63
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name: 
                DNS:daylightpirates.org, DNS:www.daylightpirates.org
    Signature Algorithm: sha256WithRSAEncryption
         56:28:8e:b0:01:f6:d6:04:9a:fc:be:1e:c0:5b:8f:5e:76:1e:
         4b:4e:f8:8f:fd:b7:ae:43:c0:5c:a8:c3:7a:06:cc:f8:33:24:
         fc:16:44:f5:67:c3:e5:7e:05:41:7d:c3:bc:31:9b:6b:cd:92:
         d4:45:86:98:cf:23:31:72:49:fb:85:4f:01:1d:be:d2:47:dd:
         8e:cb:a5:6d:11:55:a8:bc:45:09:9c:e3:c5:8e:75:49:05:96:
         50:9a:74:b6:59:ed:e6:ce:38:c1:d1:4d:34:00:f6:59:3a:28:
         47:39:40:fe:c9:22:6f:74:39:ac:f6:e4:a9:42:fd:12:b6:5d:
         f5:65:6e:02:28:9d:1c:f5:2a:ca:1f:5e:b3:99:6a:14:88:d2:
         d9:eb:71:d5:3d:68:76:fe:c9:04:e1:3f:c8:e9:a5:9d:5f:01:
         ff:e2:0c:90:e6:43:57:21:45:e2:1b:0a:5a:24:68:58:0f:04:
         a6:8e:bb:c5:2b:d2:4b:0c:8b:bb:be:8f:c9:bb:29:95:d8:38:
         ed:30:b4:e1:28:df:cb:12:ab:d4:0f:ae:8f:9e:6c:e0:4d:c1:
         a7:e4:a6:4f:e9:a7:da:3d:5a:56:94:a3:61:a6:26:04:52:d3:
         e5:6c:ca:ff:16:91:13:01:a3:99:e4:1c:99:7b:07:88:80:78:
         2e:3b:ca:13:e4:d3:50:ed:ac:15:db:0d:c2:ab:5c:8f:6f:63:
         c3:7d:b5:59:94:bd:b1:2f:ea:1b:de:32:07:60:ff:dc:68:13:
         4b:17:93:59:a1:9f:ac:99:e0:b7:6f:80:10:10:b0:02:c4:c5:
         43:e7:fd:14:49:81:5d:88:95:db:68:24:66:b6:9d:c3:86:53:
         57:dd:5e:9e:4e:84:fe:3d:95:84:58:10:4f:8b:3a:38:37:32:
         14:9e:41:fb:5b:4c:ec:46:c3:6a:11:d4:18:ba:5d:49:7b:74:
         c1:2e:42:d9:1c:fa:32:6a:85:7a:d7:16:00:db:47:b6:a3:ef:
         4e:cb:c2:2f:b1:c5:70:a0:ff:73:a3:fe:fc:4a:ad:68:35:2f:
         12:00:4c:8e:bb:46:1b:86:ba:27:e3:15:e0:e9:c1:b0:d3:79:
         c5:da:77:c6:5b:bb:87:da:17:08:83:49:ca:31:b3:0f:b6:02:
         4d:73:b5:5c:16:d1:ef:f2:bc:05:03:8a:f6:04:d3:82:10:bc:
         9f:77:1d:4e:55:e5:40:ee:34:10:de:f6:5b:f5:9f:ca:34:81:
         c9:79:74:6b:55:be:9f:66:8a:1b:40:84:63:69:75:cb:9e:91:
         e7:29:d2:fb:6b:94:7a:97:3c:b5:5c:93:52:42:d9:c4:c0:f5:
         fe:1b:a4:f4:fd:83:c4:dc


$ ./venv/bin/letsencrypt --debug --agree-eula --email diafygi@gmail.com --text --no-simple-http-tls --authenticator manual --work-dir /tmp/work/ --config-dir /tmp/config/ --logs-dir /tmp/logs/ auth --cert-path /tmp/certs/ --chain-path /tmp/chains/ --csr ~/Desktop/domain.csr

...<followed instructions>...

$ openssl x509 -text -in /tmp/certs/0000_ -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            02:00:00:00:00:00:01:20:37:30:9d:56:0a:ed:ea:92
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=happy hacker fake CA
        Validity
            Not Before: Jun 30 16:55:00 2015 GMT
            Not After : Sep 28 16:55:00 2015 GMT
        Subject: CN=daylightpirates.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:a7:61:e4:22:06:ef:1f:c5:37:c7:92:b8:e5:a5:
                    cd:29:c4:f1:f1:ad:7f:43:e2:c2:dd:7f:b7:70:77:
                    e0:29:d4:fb:ec:79:b7:44:b2:96:b5:9e:f6:21:74:
                    35:52:15:98:35:e2:74:d9:85:bd:10:79:bc:9f:a6:
                    5b:44:f4:c8:18:02:24:3c:62:5e:19:85:7f:d5:a9:
                    38:c7:34:9f:7e:9a:2e:6f:af:50:6c:9a:69:c9:94:
                    ca:90:41:fd:1c:30:2c:61:14:5f:33:97:8c:18:52:
                    9a:5d:75:83:30:02:68:3c:1e:c8:69:f6:db:80:85:
                    f1:99:ed:33:92:9c:32:98:b7:79:61:1d:81:70:e0:
                    7d:46:dd:35:da:58:69:c0:62:a6:a3:6d:bf:32:15:
                    4b:8b:78:7a:91:7d:0e:e2:2c:d6:e2:17:4f:81:c4:
                    9a:89:b7:52:71:6d:28:11:28:6e:4e:f5:86:8d:aa:
                    08:45:a6:2b:21:51:92:99:f7:c1:d9:b2:d8:92:08:
                    32:f5:50:74:23:5a:5f:c9:e9:40:c8:c0:10:31:00:
                    16:0e:07:e6:0d:20:e1:e3:38:97:11:ee:b3:51:f0:
                    ce:8a:fe:68:7e:eb:ca:f3:ef:96:44:c7:43:7c:67:
                    89:88:77:3c:a6:77:c0:a0:a8:d7:26:17:bf:b0:d9:
                    97:e0:12:15:29:bc:9e:c0:21:df:92:b9:01:01:fd:
                    70:49:3a:cc:65:c6:44:77:0a:10:a2:06:7f:10:c9:
                    07:ee:9e:78:96:59:b7:29:13:c6:28:7f:e0:e0:e3:
                    34:7b:5a:0b:f0:64:bd:d5:cc:9a:9c:47:0b:67:0d:
                    e3:2c:24:14:71:9f:a3:fe:50:37:6c:11:d1:b5:c8:
                    ef:f0:73:68:41:ac:0d:67:a9:58:33:00:25:3c:dc:
                    5a:9d:72:b2:81:dc:7c:04:d4:41:49:9d:a4:96:3d:
                    13:38:32:f7:19:2b:3a:7e:4d:57:03:4c:23:d1:e2:
                    03:e8:c0:1e:02:32:e4:7f:b3:b2:96:13:dd:db:15:
                    f1:b7:ea:36:4a:cf:cd:0c:ba:38:ba:2c:0f:71:95:
                    7a:3d:b3:3f:4a:01:6c:58:b0:0d:c9:59:79:9b:1e:
                    a2:65:e7:22:ea:ed:ea:25:f5:c3:77:da:7c:ed:0f:
                    e0:34:a1:25:46:94:8a:31:4c:8c:18:f6:c1:ee:e4:
                    03:81:83:db:ad:a1:66:da:8b:5a:91:5a:02:63:a3:
                    c8:c2:ab:1a:b8:c5:5e:4b:7a:7f:dc:95:88:bd:97:
                    96:c8:4a:be:b6:24:f9:af:44:64:90:9f:79:82:68:
                    a2:0d:b5:f7:19:fa:60:1a:c9:22:dd:02:e0:b5:f6:
                    ee:da:63
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                68:31:B1:F9:95:2D:C4:85:A4:EA:FA:B8:F1:B3:9B:97:ED:7A:A4:27
            X509v3 Authority Key Identifier: 
                keyid:FB:78:4F:12:F9:60:15:83:2C:9F:17:7F:34:19:B3:2E:36:EA:41:89

            Authority Information Access: 
                OCSP - URI:http://ocsp.int-x1.letsencrypt.org
                CA Issuers - URI:http://cert.int-x1.letsencrypt.org/

            X509v3 Subject Alternative Name: 
                DNS:daylightpirates.org, DNS:www.daylightpirates.org
            X509v3 Certificate Policies: 
                0...0...g.....07..+..........0(0&..+.........http://cps.letsencrypt.org0....+..........0..0....+..........This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/documents/
    Signature Algorithm: sha256WithRSAEncryption
         2a:0f:4d:83:38:e0:d7:6b:d9:74:ed:9b:ba:3e:aa:49:c1:05:
         9a:33:c3:24:e5:8f:7d:68:59:1a:13:48:dd:43:6f:4b:4c:b9:
         23:d1:e5:15:b1:ef:ec:be:b0:cf:f3:9f:72:73:cd:ff:8e:4c:
         fb:4c:cf:4d:ba:08:e4:7c:2a:83:65:22:7e:0d:03:cf:5c:a0:
         a3:2b:df:d0:fa:3b:7f:2b:78:bb:46:18:0e:b0:4f:a6:53:20:
         49:59:79:ec:8a:46:51:16:25:05:89:49:66:c5:13:e6:43:1d:
         5b:a7:8d:7f:c8:69:98:f2:0f:5c:e9:3a:71:0c:c6:21:c7:59:
         ec:4d:f7:7a:19:c4:74:4a:c9:b6:b5:59:ba:9a:75:1e:ba:f7:
         ec:f4:01:9b:6a:7a:b8:36:98:08:86:d0:8f:ab:f1:9f:5b:b3:
         99:a8:2c:1c:2d:03:47:b6:48:35:08:72:16:fb:6e:78:54:7a:
         3f:e7:d0:c8:b0:94:e0:1d:d2:cd:b6:9f:a2:27:d5:ef:67:58:
         4c:4a:51:0f:68:a6:74:a9:88:d9:e6:7d:0f:7c:a1:2a:e1:5a:
         76:8d:28:43:b1:13:8f:ab:45:ed:b6:6b:d5:2d:93:d8:83:46:
         e2:9d:36:12:f6:32:34:ec:47:e2:6e:ae:1e:b5:57:0d:07:37:
         46:14:ae:cb

[diafygi]

Will work on writing an update to give instructions on how to do this.

[kuba]

It would be great to have it in the official client docs (https://github.com/letsencrypt/letsencrypt/tree/master/docs) :). Also, you might find our generate-csr.sh script handy.

[diafygi]

@kuba to clarify, does the manual authenticator still need to access your private keys?

[kuba]

Since certbot/certbot#504 (June 25), client does not need access to certificate keys.

[diafygi]

Gotcha, ok, so it still needs access to the account private keys?

[pcoutin]

This still has less dependencies, no?
On Debian 7, with the "encryption" python package, and doing import OpenSSL breaks with ImportError: /home/../.local/share/letsencrypt/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/_openssl.so: undefined symbol: SSL_CTX_set_alpn_protos making letsencrypt unusable

[abl]

letsencrypt-nosudo is also really nice on FreeBSD shared hosting.

[101100]

The simplicity of this script makes it both a great tool to try out Let's Encrypt with less hassle (no wonky virtualenv that slows down executing the script every time) while also providing a very clear picture of how the process works for people who are more curious about the process.

[kuba]

FTR, you might all like https://github.com/kuba/simp_le :)