User Tools

Site Tools


letsencrypt

This is an old revision of the document!


Let's Encrypt

https://letsencrypt.org/ offers free signed 90 day SSL certificates which are trusted by the browser, just like a pay-for certificate signed by other CA's.

Because the certificate is valid only for 90 days, it is important to use the scripted automation to authorize and renew the certificate.

1. If the letsencrypt command is not available in your package manager, use the letsencrypt-auto command by installing it locally.

Your home directory needs to be /root, so use 'sudo -i' or 'su -'
The directory '/home/ian/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
# cd /usr/local
# git clone https://github.com/letsencrypt/letsencrypt
# cd letsencrypt
# ./letsencrypt-auto --help

2. Install anacron for your distro so that we can schedule the renewal process monthly, but we use anacron so that the process doesn't run at the same time as everyone else.

# aptitude install anacron

3. Add a monthly script to perform the renewals

# echo -e '#!/bin/bash\n\n' >> /etc/cron.monthly/letsencrypt-renew
# chmod u+x /etc/cron.monthly/letsencrypt-renew

4. Run a manual certificate authorization/installation. letsencrypt is able to modify the apache config, but my configuration was too complicated - so I later modify the apache config manually.

# /usr/local/letsencrypt/letsencrypt-auto certonly --renew-by-default --webroot --webroot-path /home/ian/public_html/braindump/dokuwiki/ -d braindump.ca -d www.braindump.ca -d braindump.mrzesty.net
Here the first -d is the certificate name and file name, and later -d options are additional names (AltNames) that are valid for the certificate.
# openssl x509 -text -in /etc/letsencrypt/live/braindump.ca/cert.pem | grep -A1 Alternative
            X509v3 Subject Alternative Name: 
                DNS:www.braindump.ca, DNS:braindump.mrzesty.net, DNS:braindump.ca

5. Add your last letsencrypt certonly command to the cron.monthly shell script

echo "!?certonly?" >> /etc/cron.monthly/letsencrypt-renew
For verification, the authorization process puts a file into the DocumentRoot which their servers attempt to retrieve.
66.133.109.36 - - [20/Dec/2015:12:27:57 -0500] "GET /.well-known/acme-challenge/j8DDJgtt26GzSSOZ5DuQGQtVuKj9ZyqJohVbP-YS1cc HTTP/1.1" 200 298 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

6. Manually configure apache to redirect non-SSL requests to the new VirtualHost where SSL is enabled.

<VirtualHost *:80>
        ServerName braindump.ca
        ServerAlias www.braindump.ca braindump.mrzesty.net

        RewriteEngine On
        RewriteRule /(.*) https://%{HTTP_HOST}/$1 [R]
</VirtualHost>

<VirtualHost *:443>
...
        SSLEngine On
        SSLCertificateFile /etc/letsencrypt/live/braindump.ca/cert.pem
        SSLCertificateChainFile /etc/letsencrypt/live/braindump.ca/chain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/braindump.ca/privkey.pem
</VirtualHost>

7. You can repeat steps 4-6 for any additional SSL certificates for other public sites on the server.

/etc/cron.monthly/letsencrypt-renew:

#!/bin/bash

/usr/local/letsencrypt/letsencrypt-auto certonly --renew-by-default --webroot --webroot-path /home/ian/public_html/braindump/dokuwiki/ -d braindump.ca -d www.braindump.ca -d braindump.mrzesty.net
/usr/local/letsencrypt/letsencrypt-auto certonly --renew-by-default --webroot --webroot-path /home/ian/public_html/MrZesty -d mrzesty.net -d www.mrzesty.net
letsencrypt.1450752725.txt.gz · Last modified: 2020/02/13 22:55 (external edit)

free spam filter