TechTip: Let's Encrypt, Together

Security - Other
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Automation and security are top priorities. IBM i is a first class citizen if we let it be. If we take the effort to get more open source on the platform. This article does that.

If you haven't noticed, security is regularly in the news and generally has been a hot topic the past couple years. Most recently, there was the Kemuri Water Company breach, which unfortunately was against their "AS/400." The quote still ringing in my ears from that article is the following:

"The facts in the report do speak for themselves and it’s readily apparent the specific affected water utility was trapped in a past decade (or even two decades ago) in a time when they had little reason to expect their company, business operations or water control systems would ever become the desired target for a sophisticated cyber attack,"

It's easy to think you’re immune to security threats. It might be tempting to operate under the premise of "hoping for the best," but that stance can be generally classified as security ignorance. It's time we not only replace our ignorance but also start pursuing "ethical hacking," as MC Press author Steve Pitcher has done with excellence.

Not only do we need security in place, but it needs to be automated so we become less hesitant to implement it. The point on automation was made by Steve Will, Chief IBM i Architect at IBM, in this blog post. I think we need to heed Steve’s advice.

It's the combination of security and automation that brings me to the subject matter of this article. Last year, a co-worker told me about a new initiative called The aim is to make SSL certificates free, automatic, secure, transparent, open, and cooperative. You can learn more about each on the About page.

One of the interesting limitations of is that certificates signed by them are valid only for a max of 90 days. It would be a major pain in the butt to renew keys every 90 days. That's why there are many open-source projects in a variety of programming languages that automate the process. Click here to see them all. I scanned through the list and hoped to find one that was not specific to an existing language because I am hoping many IBM i websites will make use of this approach. Lo and behold, there are a couple for bash (Bourne Again Shell), which I have on IBM i because I've installed 5733OPS option 3. Specifically, it is this project:

To install that GitHub project on the IBM i, you can either download the source and FTP it to the IFS or use git clone, as shown below.

$ git clone This email address is being protected from spambots. You need JavaScript enabled to view it.:Neilpang/le.git

Cloning into 'le'...

remote: Counting objects: 793, done.

remote: Compressing objects: 100% (12/12), done.

remote: Total 793 (delta 4), reused 0 (delta 0), pack-reused 781

Receiving objects: 100% (793/793), 183.52 KiB | 0 bytes/s, done.

Resolving deltas: 100% (318/318), done.

Checking connectivity... done.

Now go into the directory that was created.

$ cd le

The project install instructions tell us to run the following command.

$ ./ install

Please install crontab first.

try to install 'cron, crontab, crontabs or vixie-cron'.

We need to set cron job to renew the certs automatically.

Pre-check failed, can not install.

Hmm…errors. What to do?

Remember the "Drivers, Start your Nginx!" article I previously wrote where I included the painful steps of how I was able to get Nginx installed? In that article, I asked whether people like to see the specific details of how to troubleshoot within PASE. Well, I am still getting positive responses from that article with encouragement to do more. So, are you ready for some more blood, sweat, and tears? Time to see if we can get this open-source project ported to IBM i.

Going back to the error, IBM i doesn't have crontab by default. First, go to to see if it exists in the list of packages. It doesn't. But, remembering that list isn't comprehensive, I went to the "everything RPMS" link. Using Ctrl+F on the web page, I didn't find anything relating to "cron".

I then searched the source and found the following lines:

if ! _exists "crontab" ; then

   _err "Please install crontab first.

    try to install 'cron, crontab, crontabs or vixie-cron'."

   _err "We need to set cron job to renew the certs automatically."

   return 1


Since I don't intend on auto-updating (yet), I will comment out those lines by placing a # character in front of each line, as shown below.

# if ! _exists "crontab" ; then

#   _err "Please install crontab first.

     try to install 'cron, crontab, crontabs or vixie-cron'."

#   _err "We need to set cron job to renew the certs automatically."

#   return 1

# fi

Now I will run it again.

$ ./ install

It is recommended to install nc first, try to install 'nc' or 'netcat'.

We use nc for standalone server if you use standalone mode.

If you don't use standalone mode, just ignore this warning.

Installing to /home/AARON/.le

Installed to /home/AARON/.le/

OK, Close and reopen your terminal to start using le

Installing cron job

./ line 1372: crontab: command not found

./ line 1379: crontab: command not found

./ line 1379: crontab: command not found

Install cron job failed. You need to manually renew your certs.

Or you can add cronjob by yourself:

LE_WORKING_DIR="/home/AARON/.le" "/home/AARON/.le"/ cron > /dev/null


OK, it got past my commented lines, although it still attempted to install crontab. I don't believe that will be an issue. As the message above notes, I can simply manually renew my certs.

Next, I exit the PASE shell per the directions on the Github page.

$ exit

Log back in and cd into the location where you did the git clone.

$ cd /home/aaron/git/le

Now it's time to have a certificate issued for a domain. This involves many steps that happen under the covers. One of the steps involves verifying you actually own the domain. There are a handful of ways to verify the domain. One of them is to have a predefined and generated file be hosted on your domain. Then, will attempt to access that file. They figure if you can get a file served from the domain, then you must own it. This means we need to tell the script where it should generate the file. In my case, I've created a directory named /www/mysite/htdocs/letsencrypt.

I am using Nginx on IBM i instead of Apache. Below is the location mapping necessary to receive a request from and route it to my newly created htdocs/letsencrypt directory.


. . .

   location /.well-known/acme-challenge {

     root /www/mysite/htdocs/letsencrypt;


. . .

What's up with the weird URL of /.well-known/acme-challenge? I'm not sure. I just know that's what uses. The next step on the GitHub instructions is to "issue" a certificate using the following syntax.


$ le issue /www/mysite/htdocs/letsencrypt

First, we see the le command, which is aliased to We can confirm this by running the which command.

$ which le

le: aliased to /home/AARON/.le/

After le, we see three parameters. The first declares the action"issue" in this case. The second is the web-accessible directory we created earlier. The third is the domain needing a new certificate.

At this point, I hit Enter. Everything was going good until I received the following error.

$ le issue /www/mysite/htdocs/letsencrypt

Creating account key

Use default length 2048

Registering account


Creating domain key

Use length 2048

Creating csr


Verify each domain

Getting token for

printf: usage: printf [-v var] format [arguments]

/home/AARON/.le/ line 1115:


Is a directory

chown: /www/mysite/htdocs/letsencrypt/ is an unknown username.

curl: no URL specified!

curl: try 'curl --help' or 'curl --manual' for more information error:

I guessed that the printf and chown command failures might have to do with an issue with curl. How do I know that? Well, curl is a program used to return the results of a web request. If that fails, and if error trapping isn't adequate, then a subsequent printf or chown might fail because of blank variables.

At this point, I dug further into and noticed there are debugging capabilities. In the case of this project, debugging means you set the DEBUG environment variable to true (i.e., DEBUG=1) and it will generate various logs to the console for review. I ran the command again as shown below.

$ DEBUG=1 le issue /www/mysite/htdocs/letsencrypt

When you only want an environment variable to be set for the duration of a program invocation, you can put it right before the command, as I did above. The other approach to make the value stay put for the duration of this shell session is to instead use "export DEBUG=1".

I am not going to post the entire debug results as they were quite long (and full of secret keys I don't want shared). I did find that a dump would occur if the curl request wasn't successful on this line, so I used the cat command to display the contents.

$ cat /home/AARON/.le/curl.dump

== Info: TLSv1.2, TLS alert, Server hello (2):

=> Send SSL data, 2 bytes (0x2)

0000: .0

== Info: SSL certificate problem: unable to get local issuer certificate

== Info: Closing connection 0

== Info: TLSv1.2, TLS alert, Client hello (1):

=> Send SSL data, 2 bytes (0x2)


The above error means the certificates installed on the machine aren't adequate to do the SSL handshake. This is a relatively common error I come across on IBM i. An adequate cacerts.pem file can be obtained from the following URL: Download and place in a directory on your IBM i. I put it in /home/aaron/certs.

Now set the CURL_CA_BUNDLE environment variable to that path the next time you invoke the le script, as shown below.

$ CURL_CA_BUNDLE=~/certs/cacert.pem le issue /www/mysite/htdocs/letsencrypt

Creating account key

Use default length 2048

Registering account

grep: illegal option -- o

usage: grep [-r] [-R] [-H] [-L] [-E|-F] [-c|-l|-q] [-insvxbhwyu]

       [-p[parasep]] -e pattern_list...

       [-f pattern_file...] [file...]

usage: grep [-E|-F] [-c|-l|-q] [-insvxbhwyu] [-p[parasep]]

       [-e pattern_list...]

       -f pattern_file... [file...]

usage: grep [-E|-F] [-c|-l|-q] [-insvxbhwyu]

       [-p[parasep]] pattern_list [file...]

(23) Failed writing body

Register account Error: {"type":"urn:acme:error:badNonce","detail":

"JWS has no anti-replay nonce","status":400}

Snap! Another error.

The PASE version of grep isn't quite the same as Linux. No worries, to the rescue! If you need the version of grep, first download and install IBM i Chroot (or install 5733OPS option 3). Then run the following commands.

$ cd /dir/where/ibm-i-chroot/exists

$ ./ pkg_perzl_utils.lst

That will install various programs in /opt/freeware/bin. We now need to make sure the /opt/freeware/bin directory is searched when we run commands. Modify the PATH environment to have that directory first, as shown below. The PATH environment works much like a library list. It contains a list of delimited directories that should be searched for commands and programs.

$ export PATH=/opt/freeware/bin:$PATH

At this point, I was getting an error every subsequent time I ran the script. It recommended I set FORCE=1 if I wanted to rerun the process. I've added that environment variable to the call, as shown below.

% CURL_CA_BUNDLE=~/certs/cacert.pem FORCE=1 le issue


Creating account key

Use default length 2048

Account key exists, skip

Skip register account key

Creating domain key

Use length 2048

Creating csr


Verify each domain

Getting token for

chown: /www/mysite/htdocs/letsencrypt/ is an unknown username. error:{"type":"http-01","status":"valid","uri":









OK, we've made progress. However, the script stops on this "Verify error," as shown above. This one took me awhile to resolve. I had to add many echo statements to to learn why it was failing. It turns out there was an issue with how the regular expression on the egrep command was written. Once I figured that out, I went ahead and forked the GitHub project, made my change, and issued a pull request. You can see my changes here. My pull request was accepted by the author of the parent repository and further questions were asked to learn if there was more they could do to facilitate this running on IBM i. You can see the full transcript here.

Now that the fix for egrep is in place, it's time to run the command again.

$ CURL_CA_BUNDLE=~/certs/cacert.pem FORCE=1 le issue /www/mysite/htdocs/letsencrypt

Creating account key

Use default length 2048

Account key exists, skip

Registering account


Creating domain key

Use length 2048

Creating csr


Verify each domain

Getting token for

chown: /www/mysite/htdocs/letsencrypt/ is an unknown username.


Verify finished, start to sign.

Cert success.


.....contents omitted for privacy...


Your cert is in /home/AARON/.le/

The intermediate CA cert is in /home/AARON/.le/

And the full chain certs is there: /home/AARON/.le/

Victory! The certificate has been issued and is on my IBM i. The last step is to setup Nginx for SSL. The word count of this article is already getting long, so that will be a topic for another day!

In conclusion, I'll comment on what you'd need to do to use this open-source project. Since my pull requests were accepted by the parent repo, you shouldn't have the cron or egrep issues to contend with. Instead, you will just need to obtain the Github source, obtain necessary programs from (i.e., grep), and obtain the cacerts.pem file.

If you have any specific questions, please let me know in the comments.

Aaron Bartell

Aaron Bartell is Director of IBM i Innovation for Krengel Technology, Inc. Aaron facilitates adoption of open-source technologies on IBM i through professional services, staff training, speaking engagements, and the authoring of best practices within industry publications andwww.litmis.comWith a strong background in RPG application development, Aaron covers topics that enable IBM i shops to embrace today's leading technologies, including Ruby on Rails, Node.js, Git for RPG source change management, and RSpec for unit testing RPG. Aaron is a passionate advocate of vibrant technology communities and the corresponding benefits available for today's modern application developers. Connect with Aaron via email

Aaron lives with his wife and five children in southern Minnesota. He enjoys the vast amounts of laughter that having a young family brings, along with camping and music. He believes there's no greater purpose than to give of our life and time to help others.



Support MC Press Online





  • White Paper: Node.js for Enterprise IBM i Modernization

    SB Profound WP 5539

    If your business is thinking about modernizing your legacy IBM i (also known as AS/400 or iSeries) applications, you will want to read this white paper first!

    Download this paper and learn how Node.js can ensure that you:
    - Modernize on-time and budget - no more lengthy, costly, disruptive app rewrites!
    - Retain your IBM i systems of record
    - Find and hire new development talent
    - Integrate new Node.js applications with your existing RPG, Java, .Net, and PHP apps
    - Extend your IBM i capabilties to include Watson API, Cloud, and Internet of Things

    Read Node.js for Enterprise IBM i Modernization Now!


  • Profound Logic Solution Guide

    SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation.
    Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects.
    The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the companyare not aligned with the current IT environment.

    Get your copy of this important guide today!


  • 2022 IBM i Marketplace Survey Results

    Fortra2022 marks the eighth edition of the IBM i Marketplace Survey Results. Each year, Fortra captures data on how businesses use the IBM i platform and the IT and cybersecurity initiatives it supports.

    Over the years, this survey has become a true industry benchmark, revealing to readers the trends that are shaping and driving the market and providing insight into what the future may bring for this technology.

  • Brunswick bowls a perfect 300 with LANSA!

    FortraBrunswick is the leader in bowling products, services, and industry expertise for the development and renovation of new and existing bowling centers and mixed-use recreation facilities across the entertainment industry. However, the lifeblood of Brunswick’s capital equipment business was running on a 15-year-old software application written in Visual Basic 6 (VB6) with a SQL Server back-end. The application was at the end of its life and needed to be replaced.
    With the help of Visual LANSA, they found an easy-to-use, long-term platform that enabled their team to collaborate, innovate, and integrate with existing systems and databases within a single platform.
    Read the case study to learn how they achieved success and increased the speed of development by 30% with Visual LANSA.


  • Progressive Web Apps: Create a Universal Experience Across All Devices

    LANSAProgressive Web Apps allow you to reach anyone, anywhere, and on any device with a single unified codebase. This means that your applications—regardless of browser, device, or platform—instantly become more reliable and consistent. They are the present and future of application development, and more and more businesses are catching on.
    Download this whitepaper and learn:

    • How PWAs support fast application development and streamline DevOps
    • How to give your business a competitive edge using PWAs
    • What makes progressive web apps so versatile, both online and offline



  • The Power of Coding in a Low-Code Solution

    LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed.
    Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

    • Discover the benefits of Low-code's quick application creation
    • Understand the differences in model-based and language-based Low-Code platforms
    • Explore the strengths of LANSA's Low-Code Solution to Low-Code’s biggest drawbacks



  • Why Migrate When You Can Modernize?

    LANSABusiness users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
    In this white paper, you’ll learn how to think of these issues as opportunities rather than problems. We’ll explore motivations to migrate or modernize, their risks and considerations you should be aware of before embarking on a (migration or modernization) project.
    Lastly, we’ll discuss how modernizing IBM i applications with optimized business workflows, integration with other technologies and new mobile and web user interfaces will enable IT – and the business – to experience time-added value and much more.


  • UPDATED: Developer Kit: Making a Business Case for Modernization and Beyond

    Profound Logic Software, Inc.Having trouble getting management approval for modernization projects? The problem may be you're not speaking enough "business" to them.

    This Developer Kit provides you study-backed data and a ready-to-use business case template to help get your very next development project approved!

  • What to Do When Your AS/400 Talent Retires

    FortraIT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators is small.

    This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:

    • Why IBM i skills depletion is a top concern
    • How leading organizations are coping
    • Where automation will make the biggest impact


  • Node.js on IBM i Webinar Series Pt. 2: Setting Up Your Development Tools

    Profound Logic Software, Inc.Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. In Part 2, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Attend this webinar to learn:

    • Different tools to develop Node.js applications on IBM i
    • Debugging Node.js
    • The basics of Git and tools to help those new to it
    • Using as a pre-built development environment



  • Expert Tips for IBM i Security: Beyond the Basics

    SB PowerTech WC GenericIn this session, IBM i security expert Robin Tatam provides a quick recap of IBM i security basics and guides you through some advanced cybersecurity techniques that can help you take data protection to the next level. Robin will cover:

    • Reducing the risk posed by special authorities
    • Establishing object-level security
    • Overseeing user actions and data access

    Don't miss this chance to take your knowledge of IBM i security beyond the basics.



  • 5 IBM i Security Quick Wins

    SB PowerTech WC GenericIn today’s threat landscape, upper management is laser-focused on cybersecurity. You need to make progress in securing your systems—and make it fast.
    There’s no shortage of actions you could take, but what tactics will actually deliver the results you need? And how can you find a security strategy that fits your budget and time constraints?
    Join top IBM i security expert Robin Tatam as he outlines the five fastest and most impactful changes you can make to strengthen IBM i security this year.
    Your system didn’t become unsecure overnight and you won’t be able to turn it around overnight either. But quick wins are possible with IBM i security, and Robin Tatam will show you how to achieve them.

  • Security Bulletin: Malware Infection Discovered on IBM i Server!

    SB PowerTech WC GenericMalicious programs can bring entire businesses to their knees—and IBM i shops are not immune. It’s critical to grasp the true impact malware can have on IBM i and the network that connects to it. Attend this webinar to gain a thorough understanding of the relationships between:

    • Viruses, native objects, and the integrated file system (IFS)
    • Power Systems and Windows-based viruses and malware
    • PC-based anti-virus scanning versus native IBM i scanning

    There are a number of ways you can minimize your exposure to viruses. IBM i security expert Sandi Moore explains the facts, including how to ensure you're fully protected and compliant with regulations such as PCI.



  • Encryption on IBM i Simplified

    SB PowerTech WC GenericDB2 Field Procedures (FieldProcs) were introduced in IBM i 7.1 and have greatly simplified encryption, often without requiring any application changes. Now you can quickly encrypt sensitive data on the IBM i including PII, PCI, PHI data in your physical files and tables.
    Watch this webinar to learn how you can quickly implement encryption on the IBM i. During the webinar, security expert Robin Tatam will show you how to:

    • Use Field Procedures to automate encryption and decryption
    • Restrict and mask field level access by user or group
    • Meet compliance requirements with effective key management and audit trails


  • Lessons Learned from IBM i Cyber Attacks

    SB PowerTech WC GenericDespite the many options IBM has provided to protect your systems and data, many organizations still struggle to apply appropriate security controls.
    In this webinar, you'll get insight into how the criminals accessed these systems, the fallout from these attacks, and how the incidents could have been avoided by following security best practices.

    • Learn which security gaps cyber criminals love most
    • Find out how other IBM i organizations have fallen victim
    • Get the details on policies and processes you can implement to protect your organization, even when staff works from home

    You will learn the steps you can take to avoid the mistakes made in these examples, as well as other inadequate and misconfigured settings that put businesses at risk.



  • The Power of Coding in a Low-Code Solution

    SB PowerTech WC GenericWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed.
    Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

    • Discover the benefits of Low-code's quick application creation
    • Understand the differences in model-based and language-based Low-Code platforms
    • Explore the strengths of LANSA's Low-Code Solution to Low-Code’s biggest drawbacks



  • Node Webinar Series Pt. 1: The World of Node.js on IBM i

    SB Profound WC GenericHave you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.
    Part 1 will teach you what Node.js is, why it's a great option for IBM i shops, and how to take advantage of the ecosystem surrounding Node.
    In addition to background information, our Director of Product Development Scott Klement will demonstrate applications that take advantage of the Node Package Manager (npm).
    Watch Now.

  • The Biggest Mistakes in IBM i Security

    SB Profound WC Generic The Biggest Mistakes in IBM i Security
    Here’s the harsh reality: cybersecurity pros have to get their jobs right every single day, while an attacker only has to succeed once to do incredible damage.
    Whether that’s thousands of exposed records, millions of dollars in fines and legal fees, or diminished share value, it’s easy to judge organizations that fall victim. IBM i enjoys an enviable reputation for security, but no system is impervious to mistakes.
    Join this webinar to learn about the biggest errors made when securing a Power Systems server.
    This knowledge is critical for ensuring integrity of your application data and preventing you from becoming the next Equifax. It’s also essential for complying with all formal regulations, including SOX, PCI, GDPR, and HIPAA
    Watch Now.

  • Comply in 5! Well, actually UNDER 5 minutes!!

    SB CYBRA PPL 5382

    TRY the one package that solves all your document design and printing challenges on all your platforms.

    Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product.

    Request your trial now!

  • Backup and Recovery on IBM i: Your Strategy for the Unexpected

    FortraRobot automates the routine tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:
    - Simplified backup procedures
    - Easy data encryption
    - Save media management
    - Guided restoration
    - Seamless product integration
    Make sure your data survives when catastrophe hits. Try the Robot Backup and Recovery Solution FREE for 30 days.

  • Manage IBM i Messages by Exception with Robot

    SB HelpSystems SC 5413Managing messages on your IBM i can be more than a full-time job if you have to do it manually. How can you be sure you won’t miss important system events?
    Automate your message center with the Robot Message Management Solution. Key features include:
    - Automated message management
    - Tailored notifications and automatic escalation
    - System-wide control of your IBM i partitions
    - Two-way system notifications from your mobile device
    - Seamless product integration
    Try the Robot Message Management Solution FREE for 30 days.

  • Easiest Way to Save Money? Stop Printing IBM i Reports

    FortraRobot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing.
    Manage your reports with the Robot Report Management Solution. Key features include:

    - Automated report distribution
    - View online without delay
    - Browser interface to make notes
    - Custom retention capabilities
    - Seamless product integration
    Rerun another report? Never again. Try the Robot Report Management Solution FREE for 30 days.

  • Hassle-Free IBM i Operations around the Clock

    SB HelpSystems SC 5413For over 30 years, Robot has been a leader in systems management for IBM i.
    Manage your job schedule with the Robot Job Scheduling Solution. Key features include:
    - Automated batch, interactive, and cross-platform scheduling
    - Event-driven dependency processing
    - Centralized monitoring and reporting
    - Audit log and ready-to-use reports
    - Seamless product integration
    Scale your software, not your staff. Try the Robot Job Scheduling Solution FREE for 30 days.