Skip to content
/ letsencrypt-certificates Public

install Let's Encrypt CA certificates in /etc/grid-security/certificates

License

Apache-2.0 license
1 star 7 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cilogon/letsencrypt-certificates

BranchesTags

Repository files navigation

letsencrypt-certificates

You get user certificates from CILogon but you also need host certificates. You looked over the list of IGTF CAs but they don't meet your needs. Why not use the Let's Encrypt CA? How do you set up /etc/grid-security?

Getting your host certificate

Follow the Let's Encrypt Getting Started guide.

For example:

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt/
./letsencrypt-auto --debug certonly --standalone --email [email protected] -d example.org
# cert in /etc/letsencrypt
# then before it expires...
./letsencrypt-auto renew

Setting up /etc/grid-security/host*.pem

ln -s /etc/letsencrypt/live/*/cert.pem /etc/grid-security/hostcert.pem
ln -s /etc/letsencrypt/live/*/privkey.pem /etc/grid-security/hostkey.pem
chmod 0600 /etc/letsencrypt/archive/*/privkey*.pem # ugh!

Setting up /etc/grid-security/certificates

git clone https://github.com/cilogon/letsencrypt-certificates.git
cd letsencrypt-certificates/
make check
sudo make install

Caveats

Like other Internet CAs and unlike IGTF CAs, Let's Encrypt issues end entity certificates with subject DNs outside a controlled namespace (i.e., "/CN=*"), so the signing_policy file is not enforcing a strong namespace restriction.

Let's Encrypt does not issue CRLs for end-entity certificates (see the Certification Practice Statement).

Make sure to have a process in place to renew your certificates (e.g., Certbot).

Troubleshooting

# hostname
example.org
# grid-proxy-init -debug -verify -cert /etc/grid-security/hostcert.pem -key /etc/grid-security/hostkey.pem -hours 1 -out /tmp/hostcerttest
 
User Cert File: /etc/grid-security/hostcert.pem
User Key File: /etc/grid-security/hostkey.pem
 
Trusted CA Cert Dir: /etc/grid-security/certificates
 
Output File: /tmp/hostcerttest
Your identity: /CN=example.org
Creating proxy ......++++++
.....++++++
Done
Proxy Verify OK
# openssl verify -CApath /etc/grid-security/certificates /etc/grid-security/hostcert.pem 
/etc/grid-security/hostcert.pem: OK
# if [ "`openssl x509 -in /etc/grid-security/hostcert.pem -noout -modulus`" = "`openssl rsa -in /etc/grid-security/hostkey.pem -noout -modulus`" ]; then echo "Match"; else echo "Different"; fi
Match
# openssl x509 -subject -noout -in /etc/grid-security/hostcert.pem 
subject= /CN=example.org

About

install Let's Encrypt CA certificates in /etc/grid-security/certificates

Topics

letsencrypt grid openssl certificates

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

1 star

Watchers

5 watching

Forks

7 forks
Report repository

Releases 7

v0.6.0 Latest
Mar 16, 2022
+ 6 releases

Contributors 4

  •  
  •  
  •  
  •  

Languages