I had problems with the instructions from my post, because Lets Encrypt is switching from ACME API v1 to ACME API v2. So I switched to acme.sh to generate Let’s Encrypt certificates in manual DNS mode. The steps are simple and can also be easily carried out directly in the Cloud Shell.

Acme.sh has many features and can also update certificates directly (e.g. on an Apache). I only needed the certificates and didn’t want to install it directly. Therefore it is important to set the default issuer (is not Let’s Encrypt) and a home folder:

./acme.sh --set-default-ca --server letsencrypt --home . --config-home . 

In order to generate a certificate for the acmetest.zuehlke.cloud domain, an issue is generated first. The output shows a random generated secret, which must be entered in the domain as a TXT record. This is the prove that the certifcate requestor owns the domain. Keep in mind, that you need to add the --yes-I-know-dns-manual-mode-enough-go-ahead-please parameter, to use the DNS mode:

./acme.sh --issue -d acmetest.zuehlke.cloud --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please --home . --config-home .

If the TXT record with the name _acme-challenge.acmetest.zuehlke.cloud and the given TXT value is created, you need to wait at least 60 seconds. If you are too fast, you need to set a new challenge value. Afterwads the certificate can be created:

./acme.sh --renew -d acmetest.zuehlke.cloud --yes-I-know-dns-manual-mode-enough-go-ahead-please --home . --config-home .

If you are in the WSL, you can find the created files under \\wsl$ or open the explorer directly with explorer.exe . at the current folder.

Some conversions

Maybe you need to convert the CER file to a CRT file:

openssl x509 -inform PEM -in certificate.cer -out certificate.crt

Maybe you need to pack the CER files (the certificate and the intermediate certificate) as PFX file:

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile intermediatecert.crt

Testing the certificate

You can view and validate the certificate chain after the deployment of the certificate by using:

openssl s_client -connect acmetest.zuehlke.cloud:443 -showcerts