Let's Encrypt Certificates and Arch Linux
Published 2016-02-10
Using Let's Encrypt necessitates some additions to your certificate store.
Introduction
I've started using Let's Encrypt for my certificates. It's verified by default for your browser (under Arch Linux), but Python and utilities like wget
and curl
need some more work.
Resolution
For the various utilities, you can use the update-ca-trust
from the ca-certificates-utils
package. Download the "Let's Encrypt" root and intermediate certs and copy them to /etc/ca-certificates/trust-source/anchors/
(from the manpage), then run update-ca-trust extract
.
For Python, via Stackoverflow, you can check where it's looking for certs:
$ python2 Python 2.7.11 (default, Dec 6 2015, 15:43:46) [GCC 5.2.0] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> from requests.utils import DEFAULT_CA_BUNDLE_PATH; print(DEFAULT_CA_BUNDLE_PATH) /etc/ssl/certs/ca-certificates.crt >>>
And it looks like the update-ca-trust
command also updated that file:
$ ls -l /etc/ssl/certs/ca-certificates.crt
lrwxrwxrwx 1 root root 49 Sep 27 10:58 /etc/ssl/certs/ca-certificates.crt -> \
../../ca-certificates/extracted/tls-ca-bundle.pem
$ ls -l /etc//ca-certificates/extracted/tls-ca-bundle.pem
-r--r--r-- 1 root root 269659 Feb 10 21:24 /etc//ca-certificates/extracted/tls-ca-bundle.pem
As an aside, I'm still running Lemondrop on Android and I added the intermediate certificate to the store on my phone to get it to verify "Let's Encrypt" certs.