Buypass Go SSL – Technical information | Buypass AS

Buypass Go SSL – Technical information

Obtain a certificate with Certbot

After installing Certbot you can obtain a certificate from Buypass CA. The following examples were generated using EFF’s Certbot from their official website.

Certbot requires root-privileges in order to perform its operations. The Certbot will auto-install dependencies the first time performing an command using the “certbot-auto” binary. After Certbot has finished installing its dependencies you will be prompted for input. Registration is also automatically performed prior obtaining a certificate from the Buypass AS ACME service.

Register to CA

Command:
  1. root@acme:~# certbot register -m 'YOUR_EMAIL' --agree-tos --server 'https://api.buypass.com/acme/directory'

 

Parameter Explanation
register Specify task
-m “email” Email to be used for nofitication purposes, eg. expiring certificates
–agree-tos Automatically agree to the Terms of Service
–server ‘URL’ Use the specified ACME server to obtain certificates

 

Certbot output:
  1. Saving debug log to /var/log/letsencrypt/letsencrypt.log
  2. Starting new HTTPS connection (1): api.buypass.com
  3. -------------------------------------------------------------------------------
  4. Would you be willing to share your email address with the Electronic Frontier
  5. Foundation, a founding partner of the Let's Encrypt project and the non-profit
  6. organisation that develops Certbot? We'd like to send you email about EFF and
  7. our work to encrypt the web, protect its users and defend digital rights.
  8. -------------------------------------------------------------------------------
  9. (Y)es/(N)o: N
  10. IMPORTANT NOTES:
  11. - Your account credentials have been saved in your Certbot
  12. configuration directory at /etc/letsencrypt. You should make a
  13. secure backup of this folder now. This configuration directory will
  14. also contain certificates and private keys obtained by Certbot so
  15. making regular backups of this folder is ideal.
  16. root@acme:~#

 

Obtain certificate

To order a certifcate from Buypass you can perform the following command, replace example.com with your domain name.

Command:
  1. root@acme:~# certbot certonly --webroot -w /var/www/example.com/public_html/ -d example.com -d www.example.com --server 'https://api.buypass.com/acme/directory'

 

Parameter Explanation
certonly Specify task
–webroot Obtains a certificate by writing to the webroot directory of an already running webserver
-w Specify the web-root containing the files served by the webserver
-d ‘FQDN’ Fully Qualified Domain Name to obtain certificate for, which is accessible on port 80 and 443
–server ‘URL’ Use the specified ACME server to obtain certificates

 

Certbot output:
  1. root@acme:~# certbot certonly --webroot -w /var/www/example.com/public_html/ -d example.com -d www.example.com --server 'https://api.buypass.com/acme/directory'
  2. Saving debug log to /var/log/letsencrypt/letsencrypt.log
  3. Plugins selected: Authenticator webroot, Installer None
  4. Starting new HTTPS connection (1): api.buypass.com
  5. Obtaining a new certificate
  6. Performing the following challenges:
  7. http-01 challenge for example.com
  8. http-01 challenge for www.example.com
  9. Using the webroot path /var/www/example.com/public_html for all unmatched domains.
  10. Waiting for verification...
  11. Cleaning up challenges
  12.  
  13. IMPORTANT NOTES:
  14. - Congratulations! Your certificate and chain have been saved at:
  15. /etc/letsencrypt/live/example.com/fullchain.pem
  16. Your key file has been saved at:
  17. /etc/letsencrypt/live/example.com/privkey.pem
  18. Your cert will expire on 2018-09-09. To obtain a new or tweaked
  19. version of this certificate in the future, simply run certbot
  20. again. To non-interactively renew *all* of your certificates, run
  21. "certbot renew"
  22. - If you like Certbot, please consider supporting our work by:Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
  23. Donating to EFF: https://eff.org/donate-le
  24. root@acme:~#

 

Managing Certificates with Certbot

  1. Revoke certificate
  2. Renew certificate
  3. Delete certificate

 

1.  Revoke certificate

Revoke a previously obtained certificate by performing the following command.

Command:
  1. root@acme:~# certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pem --server 'https://api.buypass.com/acme/directory'

 

Parameter Explanation
revoke Start the task of revoking an existing certificate
–server “URL” Use the specified ACME server to obtain certificates
–cert-path “PATH” Specify the path of the desired certificate to remove

 

Certbot output:
  1. root@acme:~# certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pem --server 'https://api.buypass.com/acme/directory'
  2. Saving debug log to /var/log/letsencrypt/letsencrypt.log
  3. Starting new HTTPS connection (1): api.buypass.com
  4.  
  5. -------------------------------------------------------------------------------
  6. Would you like to delete the cert(s) you just revoked?
  7. -------------------------------------------------------------------------------
  8. (Y)es (recommended)/(N)o: Y
  9.  
  10. -------------------------------------------------------------------------------
  11. Deleted all files relating to certificate example.com.
  12. -------------------------------------------------------------------------------
  13.  
  14. -------------------------------------------------------------------------------
  15. Congratulations! You have successfully revoked the certificate that was located
  16. at /etc/letsencrypt/live/example.com/cert.pem
  17.  
  18. -------------------------------------------------------------------------------

 


2.  Renew certificate

Manual renewal of certificates can be achieved through the following command. To automate the renewal process this can be scheduled using cron.

Command:
  1. root@acme:~# certbot renew

 

Parameter Explanation
renew Check and renew expiring certificates
-n Run without user interaction
-q Quiet output, reduced logging to screen

 

Certbot output:
  1. root@acme:~# certbot renew
  2. Saving debug log to /var/log/letsencrypt/letsencrypt.log
  3.  
  4. -------------------------------------------------------------------------------
  5. Processing /etc/letsencrypt/renewal/example.com.conf
  6. -------------------------------------------------------------------------------
  7. Cert not yet due for renewal
  8.  
  9. -------------------------------------------------------------------------------
  10.  
  11. The following certs are not due for renewal yet:
  12. /etc/letsencrypt/live/example.com/fullchain.pem (skipped)
  13. No renewals were attempted.
  14. -------------------------------------------------------------------------------

 

Automated renewal is scheduled in cron by invoking the following command to edit the cron tasks for the root user

Command:
  1. sudo crontab -e


Then add the following lines to the file.

Command:
  1. #Cron-job scheduled under root to run every 12th hour at a specified minute (eg. 23, change this to your preference)
  2. 23 */12 * * * /opt/certbot/certbot-auto renew -n -q >> /var/log/certbot-auto-renewal.log


 

3.  Delete certificate

Invoke the following command to delete a certificate. THis will give you a list of available certificates which you can choose a certificate from to completely delete.

Command:
  1. root@acme:~# certbot delete

 

Parameter Explanation
delete Start the task of delting previously obtained certificates

 

Certbot output:
  1. root@acme:~# certbot delete
  2. Saving debug log to /var/log/letsencrypt/letsencrypt.log
  3.  
  4. Which certificate(s) would you like to delete?
  5. -------------------------------------------------------------------------------
  6. 1: example.com
  7. -------------------------------------------------------------------------------
  8. Select the appropriate numbers separated by commas and/or spaces, or leave input
  9. blank to select all options shown (Enter 'c' to cancel): 1
  10.  
  11. -------------------------------------------------------------------------------
  12. Deleted all files relating to certificate example.com.

 

Buypass ACME Implementation details

Rate limits
The main limit is Certificates per Registered Domain, (20 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name www.example.com, the registered domain is example.com. In new.blog.example.co.uk, the registered domain is example.co.uk. We use the Public Suffix List to calculate the registered domain.

We also have a Duplicate Certificate limit of 5 certificates per week. A certificate is considered a duplicate of an earlier certificate if they contain the exact same set of hostnames, ignoring capitalisation and ordering of hostnames. For instance, if you requested a certificate for the names [www.example.com, example.com], you could request four more certificates for [www.example.com, example.com] during the week. If you changed the set of names by adding [blog.example.com], you would be able to request additional certificates.

There is a Failed Validation limit of 5 failures per account, per hostname, per hour.

You can have a maximum of 300 Pending Authorisations on your account.

The “new-reg”, “new-authz” and “new-cert” endpoints have an Overall Requests limit of 20 per second.

The “/directory” endpoint has limit of 40 requests per second.

Security fixes
If there appears to be a security issue in the protocol, we may introduce compatibility-breaking changes to the endpoints. Client suppliers should update their clients to address such vulnerabilities.

 

Errors and issues

While working with Buypass ACME service the following standard errors may appear. If you can not fix them by yourself - contact our Community or our Customer Support.

Type Description
badCSR The CSR is unacceptable (e.g., due to a short key)
badNonce The client sent an unacceptable anti-replay nonce
badSignatureAlgorithm The JWS was signed with an algorithm the server does not support
invalidContact A contact URL for an account was invalid
unsupportedContact A contact URL for an account used an unsupported protocol scheme
malformed The request message was malformed
rateLimited The request exceeds a rate limit
rejectedIdentifier The server will not issue for the identifier
serverInternal The server experienced an internal error
unauthorised The client lacks sufficient authorisation
unsupportedIdentifier Identifier is not supported, but may be in future
userActionRequired Visit the “instance” URL and take actions specified there
badRevocationReason The revocation reason provided is not allowed by the server
caa Certification Authority Authorisation (CAA) records forbid the CA from issuing
dns There was a problem with a DNS query
connection The server could not connect to validation target
tls The server received a TLS error during validation
incorrectResponse Response received didn’t match the challenge’s requirements


This list is not exhaustive. The server MAY return errors whose “type” field is set to a URI other than those defined above.

 

ACME Issue Reporting

If you have issues using Buypass SSL Go solution please report this using the Issue Report form below. It may be useful for us to get your ACME Account ID to do a proper investigation. The process of creating an ACME Account is handled automatically by the ACME client software you use.

If you’re using Certbot, you can find your account ID by looking at the “uri” field in /etc/letsencrypt/accounts/api.buypass.com/acme/directory*/regr.json.

If you’re using another ACME client, the instructions will be client-dependent. Check your logs for URLs of the form described above. If your ACME client does not record the account ID, you can retrieve it by submitting a new registration request with the same key. See the ACME spec for more details. You can also find the numeric form of your ID in the Boulder-ID header in the response to each POST your ACME client makes.