Generate LE certs from the CLI

(Lorne Gaetz) #1

Thanks to the efforts of @jerrm and @bpbp, the latest edge version of Certificate Management module allows you to generate a Let’s Encrypt cert using fwconsole:

# fwconsole ma list | grep cert
| certman             | 15.0.34    | Enabled                           | AGPLv3+     |

# fwconsole certificates --generate --type=le  --country-code=ca --state=ns
Getting list of URLs for API
Requesting new nonce for client communication
Account already registered. Continuing.
Sending registration to letsencrypt server
Sending signed request to
Starting certificate generation process for domains
Requesting challenge for
... bunch of lines removed ...
Got certificate! YAY!
Saving fullchain.pem
Saving cert.pem
Saving chain.pem
Done !!§§!
Successfully installed Let's Encrypt certificate ''

Thanks Gentlemen? Humans!


For now, run an fwconsole chown after creating a cert.

I’ll open a ticket for the fix tomorrow, along with some more functionality.


Fix for the chown issue is at

The big addition for this ticket is Subject Alternative Name so a cert can support more than one DNS name, ie a single cert can now support,,, etc.

Of limited use for the distro with current port-based apache virtual hosts, but makes life much easier for those that use hostname/SNI based virtual hosts.


Does your code allow certificates from other than the primary domain to be issued?

I ask because using such domains, (using SNI not ports), would provide a ‘once removed’ certification for administrative purposes (and provisioning) that is less easily revealed ?
I believe that both TLS transport for calls (and such a transport doesn’t like wild cards/SNA for that purpose) and provisioning would benefit yet still protect MITM attacks inside a possibly compromised LAN.

Call it a kinda 2FA perhaps.



It passes the names to the Lescript.php script certman uses and prays.

But, yes, I tested for multi-domain ( and and got a working cert.


( or two ? :slight_smile: )


If anyone cares…

Certman 15.0.35 has just been released to edge. It fixes the chown issues in the original cli 15.0.34 release and adds support for alternative names in the cert.

I recommend running fwconsole chown from the console after installing 15.0.35 if you have used the letsencrypt cli generation in 15.0.34.

(Lorne Gaetz) closed #8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.