Jay,
I have multiple LetsEncrypt certs being served by the Apache server on I
and managed by DCM. It's still a mostly manual process although the
latest release of the OS has some updates that may make automation
easier. The basic steps are use are:
Create a CSR with DCM (I STILL use the CSR's I created years ago for
LetEncrypt)
I am a java guy so I installed the ACME client found here:
https://github.com/porunov/acme_client and then I follow these steps
(this uses the DNS01 approach so you need access to your DNS records):
[acme_client.jar is the jar from the github site]
// Register - one time only
java -jar acme_client.jar --command register -a <folder/file containing
your le account key> --with-agreement-update --email <your@xxxxxxxxxxxxxxxx>
//Order Certificate
java -jar acme_client.jar --command order-certificate -a <folder/file
containing your le account key> -w <working folder: /etc/pjac/workdir>
-c <folder/file with csr> --challenge-type DNS01 --dns-digests-dir
<digests folder:/etc/pjac/digests>
//
At this point you need to copy the // Verify domains
java -jar acme_client.jar --command verify-domains -a <folder/file
containing your le account key> -w <working folder: /etc/pjac/workdir>
-c <folder/file with csr> --challenge-type DNS01
//Generate Certificate
java -jar acme_client.jar --command generate-certificate -a <folder/file
containing your le account key> -w <working folder: /etc/pjac/workdir>
--csr <folder/file with csr> --cert-dir <certificate folder to store
certificate: /etc/pjac/certdir>
Re-Download certificates if needed
java -jar acme_client.jar --command download-certificates -a
<folder/file containing your le account key> -w <working folder:
/etc/pjac/workdir> --cert-dir <certificate folder to store certificate:
/etc/pjac/certdir>
I have been doing this so long I forget what I had to do to initially
set up my account with letsencrypt. The instructions at the Github site
are pretty good and once you set it up it is very easy to renew. So,
once you set up the account and run the ACME client as above, all you
have to do is point DCM to where the certificate was stored and it will
import it and you are done.
My goal is to build this into an easy to use option that can be handled
with directly going into the DCM except to assign the certificate. But,
with the pandemic raging I have been buseir than ever and I haven't had
the bandwidth to finish the work I started...mañana...always mañana....
Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
AWS Certified Cloud Practitioner
Twitter - Sys_i_Geek IBM_i_Geek
On 8/1/2020 2:26 PM, Jay Vaughn wrote:
Anyone ever use LetsEncrypt to apply a trusted ssl certificate to IBMi (Apache server). I couldn’t quite determine correct software/system for certbot. Or is there a better method?
I’ve created a signed cert to apply to my server instance using IBM DCM, but it’s not a trusted CA. This Is creating a server authentication issue with my external web app trying to make http requests to the IBMi.
Tia
Jay
As an Amazon Associate we earn from qualifying purchases.