How to use Certbot to issue Certum SSL ACME certificate?

Certum supports ACME version v2 and based on RFC 8555.

A number of ACME clients are available to support ACME. The sample instructions are presented using Certbot software as an example. The instructions are for illustrative purposes only and in order to support the step-by-step launch of a server-side implementation based on Certbot software for example, please use the dedicated instructions and support materials provided by the publisher of the given ACME client. Certbot software documentation is available at https://eff-certbot.readthedocs.io/en/stable/using.html.

Certbot software installation

• Download and install the ACME client on the server, e.g. Certbot, using the official instructions: https://certbot.eff.org/

Certificate activation using Certbot

• • Start the registration of ACME account in Certum using the command below. Fill in the kid and hmac values ​​according to the data received in the Certum certificate details:
    
certbot register --server https://acme.certum.pl/directory/ --eab-kid z2r7_WC57nZWHvCbyjRV94y836hq19CWPLdU7naHaXXXXXXXXXXXXXXXXXX --eab-hmac-key ZjExMWNiNzQ1ZGI0NjE0MWU3ZjYwNDZjMzhhOGRiYjhmNjFlMjBjOGXXXXXXXXXXXXXXX
  • Provide the e-mail address of the Certum account with ordered SSL product, for which the ACME account will be created
  • Read and confirm the terms of use of Certum certificates
  • If necessary, answer additional questions regarding the processing of ACME account data by Certbot. The result should be confirmation of the account registration
  • Start the certificate request and choose the method of verifying the control over the domains for which you want to issue a certificate using the command:
    
certbot certonly --manual --key-type rsa --server https://acme.certum.pl/directory/ --preferred-challenges dns-01


where by switching the parameters, you can choose:

• • the option of issuing the certificate only, without installing it on the server using the certonly switch
  • the key type using the –key-type switch, set to rsa or ecdsa
  • manual domain verification using the –manual switch. Automatic domain verification requires an add-on configured on the domain server
  • domain verification method (challenge type): dns-01 or http-01
• Provide the domains to be included in the certificate. Certbot does not support entering IP addresses. In the case of more than one domain, separate them with a space:
  
yourdomain.com www.yourdomain.com

• Choose the option of automatic verification of control over domains or manually verify possession of the control over the domains, according to the instructions displayed. Place a record in the domain DNS or a file on the server and confirm readiness for verification in the console. Wait for the verification and issuance of the certificate
• Download the certificate and private key from the location indicated by Certbot. For certonly option, install it on your server and start using it.

Note: When the certificate is nearing its expiration date, using the renew option will issue a certificate with an expiration date equal to the certificate being renewed, even if the SSL product ordered was a certificate renewal. To secure the domain with a certificate for the next period it is required to order new product and issue certificate for it.

Note: Certum limits the number of requests to each ACME operation to ensure performance and stability of the system. Limit is calculated per ACME product order for ACME account registrations and certificate requests. Additionally, the rest of operations is limited per IP address.

Receiving an HTTP 429 code in the ACME client response indicates that the limit has been exceeded. The response contains a Retry-After message with the number of seconds after which the request can be resubmitted.

Troubleshooting

In the case of failure to issue a certificate despite positive verification of the control over the domain, check the blocks and high-risk detection performed by Certum.