× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. OPENSOURCE
  3. August 2020

Re: [IBMiOSS] LetsEncrypt

Jay,

I have multiple LetsEncrypt certs being served by the Apache server on I and managed by DCM. It's still a mostly manual process although the latest release of the OS has some updates that may make automation easier.  The basic steps are use are:

Create a CSR with DCM (I STILL use the CSR's I created years ago for LetEncrypt)

I am a java guy so I installed the ACME client found here: https://github.com/porunov/acme_client and then I follow these steps (this uses the DNS01 approach so you need access to your DNS records):

[acme_client.jar is the jar from the github site]

// Register - one time only
java -jar acme_client.jar --command register -a <folder/file containing your le account key> --with-agreement-update --email <your@xxxxxxxxxxxxxxxx>

//Order Certificate
java -jar acme_client.jar --command order-certificate -a <folder/file containing your le account key> -w <working folder: /etc/pjac/workdir> -c <folder/file with csr> --challenge-type DNS01 --dns-digests-dir <digests folder:/etc/pjac/digests>

//

At this point you need to copy the // Verify domains
java -jar acme_client.jar --command verify-domains -a <folder/file containing your le account key> -w <working folder: /etc/pjac/workdir> -c <folder/file with csr> --challenge-type DNS01

//Generate Certificate
java -jar acme_client.jar --command generate-certificate -a <folder/file containing your le account key> -w <working folder: /etc/pjac/workdir> --csr <folder/file with csr> --cert-dir <certificate folder to store certificate: /etc/pjac/certdir>

Re-Download certificates if needed

java -jar acme_client.jar --command download-certificates -a <folder/file containing your le account key>  -w <working folder: /etc/pjac/workdir> --cert-dir <certificate folder to store certificate: /etc/pjac/certdir>

I have been doing this so long I forget what I had to do to initially set up my account with letsencrypt.  The instructions at the Github site are pretty good and once you set it up it is very easy to renew.  So, once you set up the account and run the ACME client as above, all you have to do is point DCM to where the certificate was stored and it will import it and you are done.

My goal is to build this into an easy to use option that can be handled with directly going into the DCM except to assign the certificate.  But, with the pandemic raging I have been buseir than ever and I haven't had the bandwidth to finish the work I started...mañana...always mañana....

Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
AWS Certified Cloud Practitioner
Twitter - Sys_i_Geek IBM_i_Geek

On 8/1/2020 2:26 PM, Jay Vaughn wrote:
Anyone ever use LetsEncrypt to apply a trusted ssl certificate to IBMi (Apache server). I couldn’t quite determine correct software/system for certbot. Or is there a better method?

I’ve created a signed cert to apply to my server instance using IBM DCM, but it’s not a trusted CA. This Is creating a server authentication issue with my external web app trying to make http requests to the IBMi.

Tia
Jay

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.