Using letsencrypt certificate in PDF signing
DOF is using syncfusion libararies to sign PDF, this library does not support certificate with EC key. However Certbot on linux uses EC by default.
This guide will help you configure the Linux NGinX certificates to be used for signing PDF as well.
Step 1
Start by forcing certbot to use RCA, run certbot with RCA flags
sudo certbot --nginx --key-type rsa --rsa-key-size 2048
Now the PEM files will use RCA.
Step 2
Next We want to generate a PFX that will update when the PEM updates. For that we create a shell file in the hooks folder of letsencrypt /etc/letsencrypt/renewal-hooks/deploy/export-pfx.sh
sudo nano /etc/letsencrypt/renewal-hooks/deploy/export-pfx.sh
Place the following content:
#!/bin/bash
# This script is called by Certbot with env variables set:
# RENEWED_LINEAGE is the path like /etc/letsencrypt/live/example.com
echo "Generating PFX"
LIVE_DIR="$RENEWED_LINEAGE"
DOMAIN=$(basename "$LIVE_DIR")
PFX_DIR="/etc/letsencrypt/pfx"
PFX_FILE="$PFX_DIR/$DOMAIN.pfx"
PASSWORD_FILE="/etc/letsencrypt/ssl-password.txt"
mkdir -p "$PFX_DIR"
if [[ ! -f "$LIVE_DIR/privkey.pem" ]]; then
echo "Private key not found for $DOMAIN"
exit 1
fi
openssl pkcs12 -export \
-out "$PFX_FILE" \
-inkey "$LIVE_DIR/privkey.pem" \
-in "$LIVE_DIR/cert.pem" \
-certfile "$LIVE_DIR/chain.pem" \
-passout file:"$PASSWORD_FILE"
# Set secure permissions give access to authenticated users
sudo chgrp users "$PFX_FILE"
sudo chmod 640 "$PFX_FILE"
echo "Generated PFX for $DOMAIN"
Save and set to executable:
sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/export-pfx.sh
place the password in a seperate file:
echo "yourStrongPassword123" | sudo tee /etc/letsencrypt/ssl-password.txt > /dev/null
sudo chmod 600 /etc/letsencrypt/ssl-password.txt
You could have used the PEM files, but that means that the private key PEM is not protected
Step 3
To check that the shell file is valid:
sudo RENEWED_LINEAGE="/etc/letsencrypt/live/example.com" /etc/letsencrypt/renewal-hooks/deploy/export-pfx.sh
Make sure PFX certificate(s) are generated
Step 4
Setup the certificate in DOF in the configuration file
<Certificates>
...
<Certificate>
<Key>g</Key>
<Password>...</Password>
<File>/etc/letsencrypt/pfx/[your domain name].pfx</File>
</Certificate>
...
</Certificates>