Programster's Blog

Tutorials focusing on Linux, programming, and open-source

ACME PHP - Request Certificate

Once you have proved to LetsEncrypt that you own the domain, you can request a certificate for it. Below are the steps to do so.

Steps

Run the following command to request a certificate for the domain:

php acmephp.phar request subdomain.mydomain.com

The first time you do this, it will ask you a series of questions (the same ones you get asked when generating a CSR). Just proceed by answering the questions truthfully.

The output has some really useful information such as where everything is kept, so I am posting it here for reference:

Loading account key pair...  

There is currently no certificate for domain test.programster.org in the Acme PHP storage. As it is the
first time you request a certificate for this domain, some configuration is required.

Generating domain key pair...  


Some informations about you or your company are required for the certificate:

What is your country two-letters code (field "C" of the distinguished name, for instance: "US")? : UK
What is your country province (field "ST" of the distinguished name, for instance: "California")? : Surrey
What is your locality (field "L" of the distinguished name, for instance: "Mountain View")? : xxxxxx
What is your organization/company (field "O" of the distinguished name, for instance: "Acme PHP")? : Programster
What is your unit/department in your organization (field "OU" of the distinguished name, for instance: "Sales")? :
What is your e-mail address (field "E" of the distinguished name)? : xxxxx@gmail.com
Distinguished name informations have been stored locally for this domain (they won't be asked on renewal).  
Requesting first certificate for domain test.programster.org ...  
Running post-generate actions...  

The SSL certificate was fetched successfully!

This certificate is valid from now to 2018-05-28T23:41:42+0000.

5 files were created in the Acme PHP storage directory:

    * /home/stuart/.acmephp/master/private/test.programster.org/private.pem contains your domain private key (required in many cases).

    * /home/stuart/.acmephp/master/certs/test.programster.org/cert.pem contains only your certificate, without the issuer certificate.
      It may be useful in certains cases but you will probably not need it (use fullchain.pem instead).

    * /home/stuart/.acmephp/master/certs/test.programster.org/chain.pem contains the issuer certificate chain (its certificate, the
      certificate of its issuer, the certificate of the issuer of its issuer, etc.). Your certificate is
      not present in this file.

    * /home/stuart/.acmephp/master/certs/test.programster.org/fullchain.pem contains your certificate AND the issuer certificate chain.
      You most likely will use this file in your webserver.

    * /home/stuart/.acmephp/master/certs/test.programster.org/combined.pem contains the fullchain AND your domain private key (some
      webservers expect this format such as haproxy).

Read the documentation at https://acmephp.github.io/documentation/ to learn more about how to
configure your web server and set up automatic renewal.

To renew your certificate manually, simply re-run this command.

As stated before, you only have to go through the pain of answering the questions once. When I re-ran the command (but with --force to force renewal), I did not get a series of questions, but just got:

Loading account key pair...  
Forced renewal.  
Loading domain key pair...  
Loading domain distinguished name...  
Renewing certificate for domain test.programster.org ...  
Running post-generate actions...  
Certificate renewed successfully!

You should be able to renew your certificates within a week of them expiring. However if you need to renew before then for whatever reason, just use the --force parameter. Be careful though as I believe you can only renew so many certificates per day.

Certificate File Locations

You should now have certificate files within:

$HOME/.acmephp/master/certs/subdomain.myDomain.com/

However, the private key is at:

/home/stuart/.acmephp/master/private/subdomain.mydomain.org/private.pem

If you are running Apache, then you want to use the individual chain.pem and cert.pem files for your certificates. The chain.pem file is the equivalent of the ca_bundle.crt you get from using ssl for free.

If you are using Nginx then you want the fullchain.pem file for the ssl_certificate parameter.

In both cases, you will also need to grab the private key from the path specified earlier.

Conclusion

You have now got your certificate files. That completes our tutorial series on using ACME PHP tool.

Last updated: 16th August 2018
First published: 16th August 2018