let's encrypt
(1 votes, average: 5.00 out of 5)
Loading...

Let’s encrypt is a free CA – certificate authority. To get a certificate from it, you have to demonstrate control over the domain via the ACME protocol. You don’t need to know much about it, because Certbot, an ACME client, will do that for you. Certbot will do some handshake magic with your private key, to prove to Let’s Encrypt, that you really do own the domain. You will however need to serve the files generated by Certbot to the web, so Let’s Encrypt can access it.

What is ACME (Automated certificate management environment)? In a nutshell, it is an implementation of the ‘handshake magic’ between Let’s Encrypt and your web server. It was designed specifically for the Let’s Encrypt service.

In the following instructions I am using nginx web server pointing to a docker instance on a machine in an internal network.

Certificates expire. You will get many emails before they do, but trust me, sooner or later you will end up really wanting to automate it. That is why I also describe the usage of crontab to renew them every month.

Nginx

For cosmetic purposes, let’s start with an HTTP nginx config, that redirects all HTTP traffic to HTTPS.

$ nano /etc/nginx/sites-available/domain.si.conf
1
2
3
4
5
server {
    server_name domain.si;
    listen 80;
    return 301 https://$host$request_uri;
}

And some certbot & forwarding to docker on an internal IP specific config for HTTPS:

$ nano /etc/nginx/sites-available/domain.si_ssl.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
server {
    listen      443 spdy;
    server_name domain.si;
 
    location /.well-known/acme-challenge {
        root /var/www/letsencrypt;
    }
 
    location / {
        proxy_pass  http://192.168.1.15:8080;
        proxy_http_version 1.1;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Request-Start $msec;
    }
 
    ssl on;
    ssl_certificate /etc/letsencrypt/live/domain.si/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.si/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
    ssl_session_cache shared:ssl_session_cache:10m;
}

Don’t forget to symlink both of them to sites-enabled:

$ ln -s /etc/nginx/sites-available/domain.si.conf /etc/nginx/sites-enabled/domain.si.conf
$ ln -s /etc/nginx/sites-available/domain.si_ssl.conf /etc/nginx/sites-enabled/domain.si_ssl.conf

Certbot

Install certbot-auto as per these instructions:

$ wget https://dl.eff.org/certbot-auto
$ chmod a+x ./certbot-auto

Create certificates in webroot pointed to by your nginx config. Note that /var/www/letsencrypt is not really your webroot, you’re just serving the /.well-known/acme-challenge direcory from it.

$ ./certbot-auto certonly --staging --webroot -w /var/www/letsencrypt --email "your.email@me.com" -d domain.si
$ ./certbot-auto certonly --webroot -w /var/www/letsencrypt --email "your.email@me.com" -d domain.si

Crontab

Create a script, in crontab’s directory, from where it will automatically be called every month. Don’t give it an extension, crontab doesn’t like it.

$ nano /etc/cron.monthly/renew-certificates

Paste the following:

1
2
3
4
5
#!/bin/bash
 
echo "running renew certificates"
/home/user/certbot-auto renew
service nginx restart

Make it executable:

$ chmod +x /etc/cron.monthly/renew-certificates

Test it with running command run-parts, that runs every script in the directory passed as the argument. Note that crontab scripts run as root unless otherwise configured, so run it with sudo.

$ sudo run-parts -v /etc/cron.monthly

One Comment

Your email is kept private. Required fields are marked *