Draft: Install Let's Encrypt Root CA on Precise Light
Posted: Fri 07 Feb 2020, 07:10
Background: a bunch of unsubstantiated claims by me
In newer versions of Linux you probably have all the certificate authorities you need already installed. Precise and related puppies is older and at the time precise was made the "Let's Encrypt" certificate authority didn't exist (to verify). If I look in:
I see:
but if this file hasn't been updated since 2013 (need to verify) then it is likely missing newer certificate authorities or is using the wrong version of the root certificate for a given certificate authority. I believe that the related files for a certificate authority expire and when they create a new file it gets a new file name. As a consequence the file for the certificate autority listed might be out dated (even if it hasn't necessarily expired yet).
Self Signed and Cross Signed Cert's for LEt's Encrypt
For a linux process (e.g. wget) to accept an SSL certificate, you must either explicitly trust the certificate or alternatively trust a certificate higher up in the trust chain. Usually you explicitly trust the certificates at the top of the trust chain. These are called certificate authorities. You can create your own by self signing a certificate and configuring a given tool to accept this certificate.
The root certificate for Let's Encr]ypt is ISRG Root X1 (self-signed). Let's encrypt has an intermediate certificate that is cross signed by both "Let's Encrypt" and also by IdenTrust. If you trust either the root certificate of "Let's Encrypt" or alternativly the root certificate of "IdentTrust" then by the way trust propagates in ssl you will trust all certificates signed by either this intermediate certificate or a certificate further down in the chain of trust. Certificates further down in the chain of trust have a more limited scope of what kind of signed content will be trusted (e.g. a subdomain).
In summary if you want an application to trust a certificate issued by "Let's Encrypt" then you have the option of adding either "Let's Encrypt's" certificate authority or "IdentTrust's" certificate authority. I recommend adding both.
Adding IdentTrust's Cerifificate authority
Download IdentTrust's root certificate file acesca2_0_0.p7b. Then convert his file to a .crt file
https://stackoverflow.com/q/47396257
copy the .crt file to /usr/share/ca-certificates
(or a subolder)
For instance the certificates that are accepted by firefox are in the subolder mozilla. The relative path of a certificate within the ca-certificates folder must be put into:
/etc/ca-certificates.conf
Per the manpage:
Anyway, once the relative path to the cert has been copied into ca-certificates.conf then run the command:
Adding the reoot CA for Let's encrypt
You add the root certificate for Let's encrypt (i.e. [url=
https://letsencrypt.org/certs/isrgrootx1.pem.txt]isrgrootx1.pem.txt[/url]) the same way as you did above for IdentTrust except that conversion command is slightly different:
I think you can remove the .txt extension when you save the root certificate (i.e. isrgrootx1.pem.txt[)
in which case it can be converted as follows:
https://stackoverflow.com/questions/137 ... rt-and-key
In newer versions of Linux you probably have all the certificate authorities you need already installed. Precise and related puppies is older and at the time precise was made the "Let's Encrypt" certificate authority didn't exist (to verify). If I look in:
Code: Select all
/etc/ca-certificates.conf
Code: Select all
Automatically generated by ca-certificates-20130610-1
Self Signed and Cross Signed Cert's for LEt's Encrypt
For a linux process (e.g. wget) to accept an SSL certificate, you must either explicitly trust the certificate or alternatively trust a certificate higher up in the trust chain. Usually you explicitly trust the certificates at the top of the trust chain. These are called certificate authorities. You can create your own by self signing a certificate and configuring a given tool to accept this certificate.
The root certificate for Let's Encr]ypt is ISRG Root X1 (self-signed). Let's encrypt has an intermediate certificate that is cross signed by both "Let's Encrypt" and also by IdenTrust. If you trust either the root certificate of "Let's Encrypt" or alternativly the root certificate of "IdentTrust" then by the way trust propagates in ssl you will trust all certificates signed by either this intermediate certificate or a certificate further down in the chain of trust. Certificates further down in the chain of trust have a more limited scope of what kind of signed content will be trusted (e.g. a subdomain).
In summary if you want an application to trust a certificate issued by "Let's Encrypt" then you have the option of adding either "Let's Encrypt's" certificate authority or "IdentTrust's" certificate authority. I recommend adding both.
Adding IdentTrust's Cerifificate authority
Download IdentTrust's root certificate file acesca2_0_0.p7b. Then convert his file to a .crt file
Code: Select all
openssl pkcs7 -print_certs -inform der -in acesca2_0_0.p7b -out acesca2_0_0.crt
copy the .crt file to /usr/share/ca-certificates
(or a subolder)
For instance the certificates that are accepted by firefox are in the subolder mozilla. The relative path of a certificate within the ca-certificates folder must be put into:
/etc/ca-certificates.conf
Per the manpage:
http://manpages.ubuntu.com/manpages/pre ... tes.8.htmlupdate-ca-certificates is a program that updates the directory /etc/ssl/certs to hold SSL
certificates and generates certificates.crt, a concatenated single-file list of
certificates.
It reads the file /etc/ca-certificates.conf. Each line gives a pathname of a CA
certificate under /usr/share/ca-certificates that should be trusted. Lines that begin
with "#" are comment lines and thus ignored. Lines that begin with "!" are deselected,
causing the deactivation of the CA certificate in question.
Anyway, once the relative path to the cert has been copied into ca-certificates.conf then run the command:
Code: Select all
update-ca-certificates
You add the root certificate for Let's encrypt (i.e. [url=
https://letsencrypt.org/certs/isrgrootx1.pem.txt]isrgrootx1.pem.txt[/url]) the same way as you did above for IdentTrust except that conversion command is slightly different:
I think you can remove the .txt extension when you save the root certificate (i.e. isrgrootx1.pem.txt[)
in which case it can be converted as follows:
Code: Select all
openssl x509 -outform der -in isrgrootx1.pem -out isrgrootx1.crt