Yes...I now have a couple of them operational and I am waiting on IBM to
update the DCM API's so I can fully automate the update of them.
Basic steps are to:
Generate a User account Key for use with LetsEncrypt (one time step)
Register the User account with LetsEncrypt (one time step)
Generate a CSR from the DCM (generally only need this once)
Request a certificate and a DSN01 challenge
Verify the challenge
Generate the certificate and download it
I am a Java guy so I found a Java based ACME client here
(
https://github.com/porunov/acme_client) He posted some good
instructions here (
https://github.com/porunov/acme_client/wiki/). You
don't need to know Java, just have it installed on your
PC/Laptop/Mac/Linux box. I have a mapped network drive to the IFS where
all the files live and I scripted everything so that I just reference
those file locations when I run the Java commands. I think I did this
originally because either I didn't have Java 8 installed on my IBMi or
there was an issue with the J9 JVM. In any case I run the commands on
my laptop....the plan is to package all of this into a script that runs
on IBM i that I can run from a CL command. Just waiting on IBM to
update the DCM. It's possible they have already and I have just been
too lazy to ask.
In reality you could do it all on a PC but the last step for the DCM is
to import the Certificate and I think it looks for the file in the IFS.
So all the files live there. And, my plan is to eventually script
everything to run there.
Below are the commands that run to create a certificate. To renew, just
skip the registration steps (This is example uses the ossgarden.org
website and it uses a wildcard cert)
Your IFS locations may vary........
// CREATE a User account Key
openssl genrsa -out z:/home/pete/certs/le_pub_key/le_account.key 2048
// REGISTER the CA User account. Only do this once
java -jar acme_client.jar --command register -a
Z:/home/pete/certs/le_pub_key/le_account.key --with-agreement-update
--email pete@xxxxxxxxxx
Generate the CSR from the DCM. Save it to the IFS.
(z:/home/pete/certs/csr/ossgarden.csr)
// REQUEST a certificate order and download DNS01 challenges (Once per
domain)
java -jar acme_client.jar --command order-certificate -a
z:/home/pete/certs/le_pub_key/le_account.key -w z:/etc/pjac/workdir -c
z:/home/pete/certs/csr/ossgarden.csr --challenge-type DNS01
--dns-digests-dir z:/etc/pjac/digests/
// VERIFY the challenges for our csr:
java -jar acme_client.jar --command verify-domains -a
z:/home/pete/certs/le_pub_key/le_account.key -w z:/etc/pjac/workdir/ -c
z:/home/pete/certs/csr/ossgarden.csr --challenge-type DNS01
//GENERATE the certificate and download it:
java -jar acme_client.jar --command generate-certificate -a
z:/home/pete/certs/le_pub_key/le_account.key -w z:/etc/pjac/workdir/
--csr z:/home/pete/certs/csr/ossgarden.csr --cert-dir z:/etc/pjac/certdir
It's just three step for a renewal (four, if you count the DCM side
where you have to update the certificate when done manually, but the
goal is to script the thing and run it in PASE and have it scheduled to
run every couple of weeks. But I can't do it until the API's are there
for the DCM
Right now I get a notice from LE that the cert is expiring and just run
those steps and I am done.
Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
Twitter - Sys_i_Geek IBM_i_Geek
On 10/5/2018 11:26 AM, Steve Richter wrote:
has anyone used Let's Encrypt to create a trusted SSL certification on the
IBM i ?
https://letsencrypt.org/getting-started/
The first step in to install the Certbot ACME client.
https://certbot.eff.org/
I am selecting software Apache and system: other UNIX.
running the steps to install the software, I get an error:
wget https://dl.eff.org/certbot-auto
qsh: 001-0078 Process ended by signal 5.
$
midrange.com
