From: "Peter Moylan" <ecs-isp@2rosenthals.com>
Subject: Re: [eCS-ISP] Getting started with Let's Encrypt
To: eCS ISP Mailing List <ecs-isp@2rosenthals.com>
References: <list-11323468@2rosenthals.com>
Message-ID: <6757831D.9060106@pmoylan.org>
Date: Tue, 10 Dec 2024 10:54:05 +1100
User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:38.0) Gecko/20100101
 Thunderbird/38.8.0
MIME-Version: 1.0
In-Reply-To: <list-11323468@2rosenthals.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit

On 07/12/24 16:42, Steven Levine wrote:

> To get started you need to create the c:\etc\ssl\uacme directory that
> uacme.exe expects to exist.
>
> Then you need to register yourself with Let's Encrypt using
>
>    uacme -v new
>
> to create your production account.  This will create
> c:\etc\ssl\uacme\private\key.pem - your account's private key.


Well, I can report partial success. It turns out that uacme wants a 
number of DLLs that existed on my desktop computer but not on my server. 
After copying those over, the "uacme -v new" worked, except for an error 
message at the end.

> At this point, I believe you will not need a staging account.  Staging
> accourts are intended for high volume certificate and tools testing and
> you should not need any of this.
>
> Once you are registered, create a script to issue your certificate.  I
> recommend you edit a copy of
>
>    issue_wwwmbopinion2.cmd
>
> changing the domain list to match the domain set for the certificate you
> want to create.  IIRC, the first domain in the list will determine where
> uacme writes the cert and key files.  The resulting script will be
> something like
>
> uacme -v -h uacme-hook.cmd issue www.pmoylan.org pmoylan.org ...

Here's the result of that "issue" operation:

[D:\APPS\UACME]uacme -v -h uacme-hook.cmd issue pmoylan.org 
www.pmoylan.org mail.pmoylan.org
uacme: version 1.2.4 starting on Tue, 10 Dec 2024 10:06:27
uacme: loading key from /@unixroot/etc/ssl/uacme/private/key.pem
uacme: loading key from /@unixroot/etc/ssl/uacme/private/pmoylan.org/key.pem
uacme: checking existence and expiration of 
/@unixroot/etc/ssl/uacme/pmoylan.org
/cert.pem
uacme: /@unixroot/etc/ssl/uacme/pmoylan.org/cert.pem does not exist
uacme: fetching directory at https://acme-v02.api.letsencrypt.org/directory
A non-recoverable error occurred.  The process ended.

It looks as if the crash happened at the point of fetching something 
from the letsencrypt.org web site. I've checked with Firefox that that 
URL gives an apparently valid file.

I now have two key.pem files (and they look OK) but no certificate. The 
only challenge in the .well-known\acme-challenge directory of my web 
site is a couple of files left over from a test of two days ago (so I've 
deleted those), so the process  has not proceeded to the point of 
issuing the challenge.

I don't think that uacme-hook.cmd has yet been invoked, but maybe I 
should insert some tracing code into that script to see whether it started.

-- 
Peter Moylan                  peter@pmoylan.org
http://www.pmoylan.org