Let's Encrypt Certificates and Arch Linux

Published 2016-02-10

Using Let's Encrypt necessitates some additions to your certificate store.

Introduction

I've started using Let's Encrypt for my certificates. It's verified by default for your browser (under Arch Linux), but Python and utilities like wget and curl need some more work.

Resolution

For the various utilities, you can use the update-ca-trust from the ca-certificates-utils package. Download the "Let's Encrypt" root and intermediate certs and copy them to /etc/ca-certificates/trust-source/anchors/ (from the manpage), then run update-ca-trust extract.

For Python, via Stackoverflow, you can check where it's looking for certs:

$ python2
Python 2.7.11 (default, Dec  6 2015, 15:43:46)
[GCC 5.2.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from requests.utils import DEFAULT_CA_BUNDLE_PATH; print(DEFAULT_CA_BUNDLE_PATH)
/etc/ssl/certs/ca-certificates.crt
>>>

And it looks like the update-ca-trust command also updated that file:

$ ls -l /etc/ssl/certs/ca-certificates.crt
lrwxrwxrwx 1 root root 49 Sep 27 10:58 /etc/ssl/certs/ca-certificates.crt -> \
                                       ../../ca-certificates/extracted/tls-ca-bundle.pem
$ ls -l /etc//ca-certificates/extracted/tls-ca-bundle.pem
-r--r--r-- 1 root root 269659 Feb 10 21:24 /etc//ca-certificates/extracted/tls-ca-bundle.pem

As an aside, I'm still running Lemondrop on Android and I added the intermediate certificate to the store on my phone to get it to verify "Let's Encrypt" certs.