(
1 votes, average: 5.00 out of 5, rated)
Loading...
Let’s encrypt is a free CA – certificate authority. To get a certificate from it, you have to demonstrate control over the domain via the ACME protocol. You don’t need to know much about it, because Certbot, an ACME client, will do that for you. Certbot will do some handshake magic with your private key, to prove to Let’s Encrypt, that you really do own the domain. You will however need to serve the files generated by Certbot to the web, so Let’s Encrypt can access it.
What is ACME (Automated certificate management environment)? In a nutshell, it is an implementation of the ‘handshake magic’ between Let’s Encrypt and your web server. It was designed specifically for the Let’s Encrypt service.
In the following instructions I am using nginx web server pointing to a docker instance on a machine in an internal network.
Certificates expire. You will get many emails before they do, but trust me, sooner or later you will end up really wanting to automate it. That is why I also describe the usage of crontab to renew them every month.
Nginx
For cosmetic purposes, let’s start with an HTTP nginx config, that redirects all HTTP traffic to HTTPS.
$ nano /etc/nginx/sites-available/domain.si.conf |
$ nano /etc/nginx/sites-available/domain.si.conf
1
2
3
4
5
| server {
server_name domain.si;
listen 80;
return 301 https://$host$request_uri;
} |
server {
server_name domain.si;
listen 80;
return 301 https://$host$request_uri;
}
And some certbot & forwarding to docker on an internal IP specific config for HTTPS:
$ nano /etc/nginx/sites-available/domain.si_ssl.conf |
$ nano /etc/nginx/sites-available/domain.si_ssl.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| server {
listen 443 spdy;
server_name domain.si;
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
}
location / {
proxy_pass http://192.168.1.15:8080;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Request-Start $msec;
}
ssl on;
ssl_certificate /etc/letsencrypt/live/domain.si/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.si/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
ssl_session_cache shared:ssl_session_cache:10m;
} |
server {
listen 443 spdy;
server_name domain.si;
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
}
location / {
proxy_pass http://192.168.1.15:8080;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Request-Start $msec;
}
ssl on;
ssl_certificate /etc/letsencrypt/live/domain.si/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.si/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
ssl_session_cache shared:ssl_session_cache:10m;
}
Don’t forget to symlink both of them to sites-enabled:
$ ln -s /etc/nginx/sites-available/domain.si.conf /etc/nginx/sites-enabled/domain.si.conf |
$ ln -s /etc/nginx/sites-available/domain.si.conf /etc/nginx/sites-enabled/domain.si.conf
$ ln -s /etc/nginx/sites-available/domain.si_ssl.conf /etc/nginx/sites-enabled/domain.si_ssl.conf |
$ ln -s /etc/nginx/sites-available/domain.si_ssl.conf /etc/nginx/sites-enabled/domain.si_ssl.conf
Certbot
Install certbot-auto as per these instructions:
$ wget https://dl.eff.org/certbot-auto |
$ wget https://dl.eff.org/certbot-auto
$ chmod a+x ./certbot-auto |
$ chmod a+x ./certbot-auto
Create certificates in webroot pointed to by your nginx config. Note that /var/www/letsencrypt is not really your webroot, you’re just serving the /.well-known/acme-challenge direcory from it.
$ ./certbot-auto certonly --staging --webroot -w /var/www/letsencrypt --email "your.email@me.com" -d domain.si |
$ ./certbot-auto certonly --staging --webroot -w /var/www/letsencrypt --email "your.email@me.com" -d domain.si
$ ./certbot-auto certonly --webroot -w /var/www/letsencrypt --email "your.email@me.com" -d domain.si |
$ ./certbot-auto certonly --webroot -w /var/www/letsencrypt --email "your.email@me.com" -d domain.si
Crontab
Create a script, in crontab’s directory, from where it will automatically be called every month. Don’t give it an extension, crontab doesn’t like it.
$ nano /etc/cron.monthly/renew-certificates |
$ nano /etc/cron.monthly/renew-certificates
Paste the following:
1
2
3
4
5
| #!/bin/bash
echo "running renew certificates"
/home/user/certbot-auto renew
service nginx restart |
#!/bin/bash
echo "running renew certificates"
/home/user/certbot-auto renew
service nginx restart
Make it executable:
$ chmod +x /etc/cron.monthly/renew-certificates |
$ chmod +x /etc/cron.monthly/renew-certificates
Test it with running command run-parts, that runs every script in the directory passed as the argument. Note that crontab scripts run as root unless otherwise configured, so run it with sudo.
$ sudo run-parts -v /etc/cron.monthly |
$ sudo run-parts -v /etc/cron.monthly
Related
One Comment
Thanks, great article.