How is the process of installing the letsencrypt.org certificate on Linux on Apache servers?

Asked

Viewed 154 times

7

I really liked the idea of using the certificate from letsencrypt.org. I found several tutorials on the internet, including that in Digital Ocean.

All the steps worked correctly, but since I don’t know much about the English language I would like more details about these steps. Among the doubts are:

  • Where the certificates are obtained?
  • Why it is necessary to insert an e-mail?
  • What’s the difference between chain.pem and fullchain.pem?

My goal is to gain a deeper understanding of this process.

  • Wallace, you managed to install, but would like to understand more about the installation process?

  • @Williampereira would like to understand more what is being done between the lines. I know for example that the cert-auto does all the automated process for Apache, but where does it get the certificates from? Why do I have to put an email? What is the difference between the chain.pem and the fullchain.pem?

  • I understand, I will give a studied in the installation process of it (I already use the service) to give a good answer on the subject.

  • Wallace, I’ve improved the question a little bit to focus on your goal which is to know how the installation process works and I’ve put the questions you’ve commented on here, if you don’t mind.

  • Wallace, I took a step by step a while ago to set up Apache with the certificate. I can’t transcribe the answer yet, but I hope it will help. http://www.andremesquita.com/tenha-seu-site-wordpress-com-ssl-gratuitamente/

1 answer

1

Come on:

How certificates are generated

Let’s Encrypt has a Certification Authority (CA) that signs the certificates generated by the installed Agents on the machines being validated. This CA is trusted by all other CA’s and this is what ensures the validity of the certificate.

Before issuing the certificate, Let’s Encrypt validates whether the host control and also the host keys are actually from the person or service who is ordering the certificate through a number of challenges that I will not leave here to make the answer more succinct.

When keys are validated, LE sends a request to CA and asks for certificate validation using the RSA keys that have been validated and that certificate is stored on the machine.

Why it is necessary to insert an e-mail

The email is only necessary for LE to send you a notification when the certificates are expiring. Remembering that, as the certificates are free, their validity is only 3 months, and you can not validate them previously, only when it is a certain number of days of the certificate expire.

So when your certificates are about to expire, they send you an email warning.

Chain and Fullchain

The archive chain.pem is the chain of trust of certificates until you get your certificate.

The fullchain.pem is only the concatenation of your certificate with the file chain.pem.

I hope it was enlightening! If you want to know more, the LE has a page that describes in detail the functioning of the system: https://letsencrypt.org/how-it-works/

Browser other questions tagged

You are not signed in. Login or sign up in order to post.