Yes...I now have a couple of them operational and I am waiting on IBM to update the DCM API's so I can fully automate the update of them.

Basic steps are to:

Generate a User account Key for use with LetsEncrypt (one time step)

Register the User account with LetsEncrypt (one time step)

Generate a CSR from the DCM (generally only need this once)

Request a certificate and a DSN01 challenge

Verify the challenge

Generate the certificate and download it

I am a Java guy so I found a Java based ACME client here (  He posted some good instructions here ( You don't need to know Java, just have it installed on your PC/Laptop/Mac/Linux box.  I have a mapped network drive to the IFS where all the files live and I scripted everything so that I just reference those file locations when I run the Java commands.  I think I did this originally because either I didn't have Java 8 installed on my IBMi or there was an issue with the J9 JVM.  In any case I run the commands on my laptop....the plan is to package all of this into a script that runs on IBM i that I can run from a CL command.  Just waiting on IBM to update the DCM.  It's possible they have already and I have just been too lazy to ask.

In reality you could do it all on a PC but the last step for the DCM is to import the Certificate and I think it looks for the file in the IFS.  So all the files live there.  And, my plan is to eventually script everything to run there.

Below are the commands that run to create a certificate.  To renew, just skip the registration steps  (This is example uses the website and it uses a wildcard cert)

Your IFS locations may vary........

// CREATE a User account Key
openssl genrsa -out  z:/home/pete/certs/le_pub_key/le_account.key 2048

// REGISTER the CA User account. Only do this once

java -jar acme_client.jar --command register -a Z:/home/pete/certs/le_pub_key/le_account.key --with-agreement-update --email pete@xxxxxxxxxx

Generate the CSR from the DCM.  Save it to the IFS. (z:/home/pete/certs/csr/ossgarden.csr)

// REQUEST a certificate order and download DNS01 challenges (Once per domain)

java -jar acme_client.jar --command order-certificate -a z:/home/pete/certs/le_pub_key/le_account.key -w z:/etc/pjac/workdir -c z:/home/pete/certs/csr/ossgarden.csr --challenge-type DNS01 --dns-digests-dir z:/etc/pjac/digests/

// VERIFY the challenges for our csr:

java -jar acme_client.jar --command verify-domains -a z:/home/pete/certs/le_pub_key/le_account.key -w z:/etc/pjac/workdir/ -c z:/home/pete/certs/csr/ossgarden.csr --challenge-type DNS01

//GENERATE the certificate and download it:

java -jar acme_client.jar --command generate-certificate -a z:/home/pete/certs/le_pub_key/le_account.key -w z:/etc/pjac/workdir/ --csr z:/home/pete/certs/csr/ossgarden.csr --cert-dir z:/etc/pjac/certdir

It's just three step for a renewal (four, if you count the DCM side where you have to update the certificate when done manually, but the goal is to script the thing and run it in PASE and have it scheduled to run every couple of weeks.  But I can't do it until the API's are there for the DCM

Right now I get a notice from LE that the cert is expiring and just run those steps and I am done.

Pete Helgren
GIAC Secure Software Programmer-Java
Twitter - Sys_i_Geek IBM_i_Geek

On 10/5/2018 11:26 AM, Steve Richter wrote:
has anyone used Let's Encrypt to create a trusted SSL certification on the
IBM i ?

The first step in to install the Certbot ACME client.

I am selecting software Apache and system: other UNIX.

running the steps to install the software, I get an error:

qsh: 001-0078 Process ended by signal 5.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2020 by and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].