Create pem certificate from LetsEncrypt

[Visar Shehu]

Is it possible to create a .pem certificate file if the certificate authority is LetsEncrypt?

Anyone with experience in this regard? What is the procedure of generating a .pem file in this case?

[Damien Fétis]

Hi visar,

This LetsEncrypt command :  ./letsencrypt-auto certonly --manual --debug
generates 4 pem files : chain.pem, cert.pem, privkey.pem and  fullchain.pem.

For using it with a spring boot application like kurento java tutorials,
 you need to convert thes pem file into JKS or pkcs12 format.

For JKS : https://docs.oracle.com/cd/E35976_01/server.740/es_admin/src/tadm_ssl_convert_pem_to_jks.html

For pkcs12 : openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out keystore.p12 -name tomcat -CAfile chain.pem -caname root)

2016-02-12 0:45 GMT+01:00 Visar Shehu <vsh...@gmail.com>:

Is it possible to create a .pem certificate file if the certificate authority is LetsEncrypt?

Anyone with experience in this regard? What is the procedure of generating a .pem file in this case?

--
You received this message because you are subscribed to the Google Groups "kurento" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kurento+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Visar Shehu]

Thank you very much for the answer. However, I need to use it for the javascript tutorial as in the following link:

http://doc-kurento.readthedocs.org/en/stable/tutorials/js/tutorial-recorder.html

Based on the documentation i need to:

$ cat signing-ca.crt subordinate-ca.crt server.crt > server.pem

For letsencrypt, is this file already available to me? Or should I create one.

[Jason Earl]

It's called fullchain.pem in the folder where the certs are created (In fact if you open these files n a text editor you'll see this for yourself). Normally your certs will be in /etc/letsenrypt/live/you.domain.name - These files exist as symlinks that point into the archive folder, so you might want to copy the the respective symlik targets from the /etc/letsenrypt/archive subfolder 

Obviously the private key is called privkey.pem Those are normally the two files you normally use in fact for most apps in general (e.g Apache / NGINX)

[rjhcon...@gmail.com]

I had this issue with LetsEncrypt as well. I cat'd the fullcert.pem and privkey.pem together and copied them into the kurento config directory. It worked after that.

[Visar Shehu]

I tried the suggestions. In my case the folder /etc/letsencrypt/DOMAIN has the following files:

cert1.pem  chain1.pem  fullchain1.pem  privkey1.pem

I concatenated cert1 and privkey1 into fullchain.pem

Then copied the file into /etc/kurento/

I changed the kurento.conf.json to have the following content:

{

  "mediaServer" : {

    "resources": {

    //  //Resources usage limit for raising an exception when an object creatio$

    //  "exceptionLimit": "0.8",

    //  // Resources usage limit for restarting the server when no objects are $

    //  "killLimit": "0.7",

        // Garbage collector period in seconds

        "garbageCollectorPeriod": 240

    },

    "net" : {

      "websocket": {

        "port": 8888,

        "secure": {

          "port": 8433,

          "certificate":"fullchain.pem",

          "password": ""

        },

       //"registrar": {

        //  "address": "ws://localhost:9090",

        //  "localAddress": "localhost"

        //},

        "path": "kurento",

        "threads": 10

      }

    }

  }

}

            

However, I still get the certificate error. In Chrome if i try to access the webpage I will get the warning that I am accessing an insecure page and that "There are issues with the site's certificate chain (net::ERR_CERT_AUTHORITY_INVALID)."

The same domain is secured with the same certificate. If I access the domain directly without the :8443 port, it shows that the certificates are valid. 

--
You received this message because you are subscribed to a topic in the Google Groups "kurento" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/kurento/wUrXnhQdGHo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to kurento+u...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Visar Shehu

[Richard James Hancock (Tex)]

fullchain and privkey are the ones to cat together, not cert and privkey, and place them within the conf directory of the file.

Kurento needs the the 3 keys together.

[Visar Shehu]

Still no luck. The certificate is still invalid, saying that it is being issued to Kurento (the default certificate).

So this is what I did:

 cat fullchain.pem privkey.pem > encryptkey.pem

Then copied all three files into /etc/kurento/

This is the content of this folder now:

-rw-r--r-- 1 root root 5192 Feb 25 00:09 encryptkey.pem

-rw-r--r-- 1 root root 3484 Feb  3 23:27 fullchain.old

-rw-r--r-- 1 root root 3484 Feb 24 09:02 fullchain.pem

-rw-r--r-- 1 root root  745 Feb 24 09:03 kurento.conf.json

-rw-r--r-- 1 root root  746 Feb 24 03:50 kurento.conf.json.save

-rw-r--r-- 1 root root  745 Feb 24 03:50 kurento.conf.json.save.1

drwxr-xr-x 3 root root 4096 Jan 30 22:50 modules

-rw-r--r-- 1 root root 1708 Feb 24 09:02 privkey.pem

-rw-r--r-- 1 root root  302 Jan 29 14:42 sdp_pattern.txt

And the content of kurento.conf.json is:

{

  "mediaServer" : {

    "resources": {

    //  //Resources usage limit for raising an exception when an object creatio$

    //  "exceptionLimit": "0.8",

    //  // Resources usage limit for restarting the server when no objects are $

    //  "killLimit": "0.7",

        // Garbage collector period in seconds

        "garbageCollectorPeriod": 240

    },

    "net" : {

      "websocket": {

        "port": 8888,

        "secure": {

          "port": 8433,

          "certificate":"encryptkey.pem",

[Richard James Hancock (Tex)]

Sorry. I lied. In my renewal script, this is what I use.

cat cert.pem chain.pem privkey.pem > /etc/kurento/fullchain.pem

[Visar Shehu]

Nope, same :(

in /etc/letsencrypt/archive/[domain_omitted]/ i have the following files:

-rw-r--r-- 1 root root 1809 Feb  3 21:32 cert1.pem

-rw-r--r-- 1 root root 1675 Feb  3 21:32 chain1.pem

-rw-r--r-- 1 root root 3484 Feb  3 21:32 fullchain1.pem

-rw-r--r-- 1 root root 1708 Feb  3 21:32 privkey1.pem

They all have a 1 after the filename. Might that be an indicator of something being wrong?

[Richard James Hancock (Tex)]

Use the live directory and not the archive one. Live will be updated with the latest certs as they renew. Even though they are just links to the archived files, when you cat them, it’ll cat the actual file.

[Visar Shehu]

I understand. I have also setup a renewal script that renews automatically. 

Is it possible that the certificate is not recognized since it was created for the domain without the port number? I am using the certificate for the following domain:

https://mediaserver.vyou.ch/

and when using with kurento I use the secure port:

https://mediaserver.vyou.ch:8443

[Richard James Hancock (Tex)]

Ports are specific to a machine and is how it talks to other machines. Has nothing to do with the cert itself.

And the 1 in the file name I believe is used for versioning of certs so that there is a history of them. Nothing more.

I don’t know what more I can do as the cat command I posted earlier works in my case. Other than ensuring you are doing them in that order and having the Kurento JSON file point to the full pem file, I’m not sure where the error would be.

[Visar Shehu]

Your support was much appreciated. Hopefully I will find a solution. 

I will try to setup a new virtual machine and see if I can configure SSL for Kurento there.