This repository explains how to get a free valid and publicly signed certificate (p12) from Let's Encrypt by using their certbot script. The example I have below is using the certbot DNS challenge extension to generate the certificate.

Download the required packages:

sudo apt install -y python-is-python3 python3 certbot; \
wget https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py; \
chmod +x acme-dns-auth.py; \
sudo mv acme-dns-auth.py /etc/letsencrypt/

Wild card certificate:

sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.domain.com

FQDN certificate:

sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d fqdn.domain.com

You will see the following message asking you to add a CNAME record to your zone.

Add the CNAME record and wait for about 60 seconds before hitting enter. You can visit https://nslookup.io to validate that your record propagated world wide.

[!info] There is more information about each certificate file/extension format in the following file /etc/letsencrypt/live/<domain-name>/README.

You will see the output in the screenshot shown above if the certificate request is successful. The certs will be stored in /etc/letsencrypt/live/<domain-name>/.

openssl version

openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out domain.pfx

Try this first:

openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out domain.pfx

If the above does not work try this:

[!danger] Using the legacy option to export a full chain is not recommended. Try this as a last resort option.

openssl pkcs12 -export -legacy -in fullchain.pem -inkey privkey.pem -out domain.pfx