# certtool use



## lucas1 (Jan 4, 2021)

Good day.

Created through openssl file with certificate request.
How through certtool send this file to specific CA?
Example to Let's Encrypt.


----------



## SirDice (Jan 4, 2021)

lucas1 said:


> How through certtool send this file to specific CA?


You don't. 



lucas1 said:


> How through certtool send this file to specific CA?
> Example to Let's Encrypt.


That's not how Let's Encrypt works.


----------



## lucas1 (Jan 4, 2021)

How to create NOT self-signed certificate and signed by some free CA?


----------



## SirDice (Jan 4, 2021)

lucas1 said:


> How to create NOT self-signed certificate and signed by some free CA?


You send a certificate request to a party that can sign them. You typically upload those on some web interface they have.

If you want to use Let's Encrypt use a tool like security/py-certbot or security/acme.sh.





__





						| Certbot
					

Tagline



					certbot.eff.org


----------



## lucas1 (Jan 4, 2021)

Thank you. 
Installed from the package py37-certbot. 

From ports did not go.
not found and is required by Sphinx
*** Error code 1

I will try further.


----------



## ralphbsz (Jan 4, 2021)

The py37-certbot version that is installed from packages works fine. I use it all the time.


----------



## lucas1 (Jan 5, 2021)

Certbot until with error:
DNS problem: NXDOMAIN looking up A


----------



## lucas1 (Jan 5, 2021)

certbot certonly --standalone -d trains.mydomain.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for trains.mydomain.com
Waiting for verification...
*Challenge failed for domain trains.mydomain.com*
http-01 challenge for trains.mydomain.com
Cleaning up challenges
*Some challenges have failed.*

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: trains.mydomain.com
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up A for trains.mydomain.com
   - check that a DNS record exists for this domain

Not very clear.
1. It is necessary to make port forwarding 443 port to the computer with freebsd?
no way without it?
2. Create on local dns server record type A? Or it can be skipped?

3. Could the command line be wrong? If you can give your examples.


----------



## SirDice (Jan 5, 2021)

Are you trying to get a certificate for a *real* domain? You need one for a real certificate, a certificate for a bogus non-existing domain can't be checked by a certificate authority (like Letsencrypt, or Verisign, or one of the many others). If you want SSL for some internally used domain then you can only use self-signed certificates. Or figure out some way they can _verify_ you are the owner of said domain. That's the whole point of SSL, it _verifies_ you are who you say you are. If they'd just accept bogus requests what would stop me from getting a certificate for the google.com domain for example?



lucas1 said:


> Not very clear.
> 1. It is necessary to make port forwarding 443 port to the computer with freebsd?
> no way without it?
> 2. Create on local dns server record type A? Or it can be skipped?


They need to somehow _verify_ you are the actual owner of the domain you're requesting a certificate for. They can do this in various ways either by a HTTP challenge response or via a DNS challenge response.

Let's start at the beginning, what exactly are you trying to do? What are you generating SSL certificates for?


----------



## lucas1 (Jan 5, 2021)

Thanks for the explanation.
I want to get certificates for mail server for used mail subdomain real domain.  
But locate the mail subdomain specifically on another mail server in local network.


----------



## SirDice (Jan 5, 2021)

lucas1 said:


> I want to get certificates for mail server for used mail subdomain real domain.


So you need something like mail.mydomain.com (with mydomain.com being the actual domain you manage) for the mail server? Or is it mail.subdomain.mydomain.com? 

Either case, do you have control over the DNS for mydomain.com or subdomain.mydomain.com? In other words, can you create DNS records in those domains? If you can then try the DNS challenge-response. They will give you a specific name or number record to add to that domain. If they can query that name/number that's the verification. 

Or, do you have a web server running on mail.mydomain.com or mail.subdomain.mydomain.com? People often run their web mail on the same server for example. Then doing the http-01 challenge-response might be easier. In that case you need to set up a /.well-known/acme-challenge directory on that web server and use the `--webroot` option. Certbot will write a random looking file there and Letsencrypt checks if that file exists by accessing the website. 

If you have neither of those things you can run certbot in the 'standalone' mode. It will, temporarily, create the webserver on its own, you do need to allow access from the internet as that's how Letsencrypt does the verification.

I personally use the http-01 challenge-response as that was the easiest to set up for me. I already had a HAProxy up and running so it was fairly easy to add that /.well-known/acme-challenge directory to it and redirect it to a local webserver. I should probably write this down some day, it would make a nice how-to.

Really, just follow the instructions: https://certbot.eff.org/instructions


----------



## lucas1 (Jan 5, 2021)

1. So you need something like mail.mydomain.com (with mydomain.com being the actual domain you manage) - Yes, that's exactly how it is.

2. Either case, do you have control over the DNS for mydomain.com - Yes, my immediate superior manages.

3. web server not running on mail.mydomain.com.

4.While I will try  certbot in the 'standalone' mode with use the http-01 challenge-response - the most suitable option.

Thank you. 
After your explanation, a lot has become clear.
I will try further.


----------



## ralphbsz (Jan 6, 2021)

Just one minor suggestion: When you are telling us what you are setting up, don't use "mydomain.com", but "example.com". That name is actually reserved for use as ... drumroll ... an example!

Good luck. If you can use the http challenge verification, it is the easiest to do, and the one that is easiest to automate, so try to get a web server set up on mail.example.com. Doing it via DNS is feasible (I do it at home), but much more work, error prone, and tedious. In particular since certbot will sometimes crash if you take a long time to set up your DNS, and then you have to start ... FROM SCRATCH with new DNS setup. If you fail 3 or 4 times in a row, it is painful. I know of what I speak ... the problem of learning from one's mistakes is that you have to make the mistakes first.


----------



## lucas1 (Jan 6, 2021)

mydonain - it was me who replaced the real second level domain name in the command line output certbot.

no, it does not work.

The mistakes are the same.

http-01 challenge for trains.mydomain.com
Waiting for verification...
*Challenge failed for domain trains.mydomain.com*
http-01 challenge for trains.mydomain.com
Cleaning up challenges
*Some challenges have failed.*

 Opened ports outside 443, 80.

 It is impossible to check the availability of the port on the computer with freebsd- after all, it just ends work certbot.


----------



## diizzy (Jan 6, 2021)

A bit late now but lego in ports is also a very nice client.


----------



## SirDice (Jan 6, 2021)

lucas1 said:


> trains.mydomain.com


Does this actually resolve to the IP address of this machine? Verify with a command like drill(1): `drill myserver.example.com`



lucas1 said:


> Opened ports outside 443, 80.


I assume this server is part of a bigger infrastructure, are you sure there isn't another firewall further upstream? Have the ports been forwarded there too?


----------



## lucas1 (Jan 6, 2021)

Everything worked out.
Received certificates.

Waiting for verification...
Cleaning up challenges

Needed port forward for port 80.
Yes, added an entry type A to the local zone DNS for myserver.example.com. 
This FQDN mail domain. hostname computer with freebsd other.

This for nslookup and dig.
pkg install  bind-tools

Thank you very much.


----------



## SirDice (Jan 6, 2021)

lucas1 said:


> This for nslookup and dig.


drill(1) is a replacement for dig(1). You don't need to install anything for that, it's part of the base OS.

Anyway, good to hear it finally worked.


----------

