💾 Archived View for nox.im › snippets › letsencrypt-pem-account-key-setup captured on 2023-04-26 at 13:27:55. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
Let's Encrypt needs an account key for verification of domains and requesting the signed certificate. We register an email for important announcements with the account key and want to back it up, as it allows us to manage and revoke certificates. From our local MacOS machine we do
brew install certbot mkdir cfg letsencrypt logs certbot register --config-dir cfg --work-dir letsencrypt --logs-dir logs
This creates a JSON formated private key under `cfg/accounts/.../private_key.json`. There is a simple Go cli tool posted here[1], to convert the JSON key to the PEM format with the `gopkg.in/square/go-jose.v2` package. I've pasted a minor variation of the tool here for posterity and reference. tool via
package main import ( "crypto/rsa" "crypto/x509" "encoding/pem" "fmt" "io/ioutil" "os" "reflect" "gopkg.in/square/go-jose.v2" ) func main() { if len(os.Args) != 2 { fmt.Printf("Usage: %v private_key.json\n", os.Args[0]) os.Exit(1) } pkBuf, err := ioutil.ReadFile(os.Args[1]) if err != nil { panic(err) } var k jose.JSONWebKey if err := k.UnmarshalJSON(pkBuf); err != nil { panic(err) } switch p := k.Key.(type) { case *rsa.PrivateKey: fmt.Println(string(pem.EncodeToMemory(&pem.Block{ Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(p), }))) default: panic("Unknown key format" + reflect.TypeOf(p).String()) } }
We can then convert the key format
go run letsencryptpem cfg/accounts/.../private_key.json
and copy it to our server
scp account.pem dre@nox.im:/home/dre/
on the server we copy it into place
doas cp account.pem /etc/acme/letsencrypt.pem
and can follow using it with the acme-client for an httpd setup[1].