Article Image
Article Image
read

Last week Let’s Encrypt went out the door with a public beta and from now on anyone can get a free ssl cert for their complain on costs of setting up ssl for their website.

Let’s Encrypt is based on a new internet protocol called AMCE (Automated Certificate Management Environment) aka a way to automate the hassle out of creating and renewing x509 certificates. Check out more by reading their technical overview.

Let’s talk a bit about how it works on your end, Let’s Encrypt will do the hard work and you basically have to do two things; 1. setting up an client 2. configure your web server

Here we’ll work with simp_le as client (from the man behind the official client) and Nginx as web server. It’s a 5 min one time setup so let’s get going!

1. Install client

git clone https://github.com/kuba/simp_le /opt/simp_le
/opt/simp_le
sudo ./bootstrap.sh
./venv.sh
. venv/bin/activate
ln -s $(pwd)/venv/bin/simp_le /usr/local/bin/simp_le

Cloning client to /opt/ and installing via provided script. bootstrap.sh will install all needed system dependences. venv.sh will install and setup both needed python dependences and simp_le it self.

2. Configure web server

To verify that your the owner of the issued domain. Client will create a well-known URI which Let’s Encrypt’s api will send a request to and verify domain ownership. Will look something like http://jacksoncage.se/.well-known/acme-challenge/lBiXU3V_SfzGj6rxuCG49v_jB1IA1YBU8H5mu0vXso4

That’s why we need to configure our web server to respond back on those request.

Put

location ^~ /.well-known/acme-challenge/ {
  default_type "text/plain";
  root         /tmp/letsencrypt/;
}

location = /.well-known/acme-challenge/ {
  return 404;
}

into /etc/nginx/letsencrypt-acme.conf

and include the config into you server config. Should look something like

server {
  listen              80;
  listen              [::]:80;
  server_name         www.jacksoncage.se jacksoncage.se;

  include /etc/nginx/letsencrypt-acme.conf;

  location / {
    return              301 https://$server_name$request_uri;
  }
}

3. Create certificate

We’re now ready to get out certificate. It’s as easy as running a command.

mkdir /tmp/letsencrypt /etc/ssl/jacksoncage_se
cd /etc/ssl/jacksoncage_se
/etc/ssl# simp_le -d www.jacksoncage.se --default_root /tmp/letsencrypt -f key.pem -f fullchain.pem -f account_key.json
2015-12-09 20:22:36,092:INFO:simp_le:950: Generating new account key
2015-12-09 20:22:38,722:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-12-09 20:22:38,900:WARNING:simp_le:974: --email was not provided; ACME CA will have no way of contacting you.
2015-12-09 20:22:38,901:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-12-09 20:22:39,098:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-12-09 20:22:39,313:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): letsencrypt.org
2015-12-09 20:22:39,883:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-12-09 20:22:40,141:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-12-09 20:22:40,390:INFO:requests.packages.urllib3.connectionpool:207: Starting new HTTP connection (1): www.jacksoncage.se
2015-12-09 20:22:40,392:INFO:simp_le:1052: www.jacksoncage.se was successfully self-verified
2015-12-09 20:22:40,409:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-12-09 20:22:40,628:INFO:simp_le:1060: Generating new certificate private key
2015-12-09 20:22:43,539:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-12-09 20:22:43,768:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-12-09 20:22:44,028:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-12-09 20:22:44,212:INFO:simp_le:335: Saving key.pem
2015-12-09 20:22:44,213:INFO:simp_le:335: Saving fullchain.pem
2015-12-09 20:22:44,217:INFO:simp_le:335: Saving account_key.json

Certificates are now create and ready to use. Don’t forget to point your ssl configuration in your ssl server block to the new certs and reload nginx.

service nginx reload

and we get a vaild signed cert, YEAH!

www.jacksoncage.se cert via Let's Encrypt

4. Run on a schedule

Let’s Encrypt certificate will expire in 90 days so setting the renewal process automated is needed, and hey that’s the entire idea of AMCE. So we’ll create a bash script that is trigged by cron.

#!/bin/bash

cd /etc/ssl
simp_le -d www.jacksoncage.se \
        --default_root /tmp/letsencrypt
        -f key.pem \
        -f fullchain.pem \
        -f account_key.json && \
  service nginx reload

Put that script into /usr/local/bin/letsencrypt_renew. simp_le client is designed to renew certificates if needed, that’s why we can run the same command as in both first run as in renewal. Add it to crontab cron -e to run once a week.

0 1 * * 1 /usr/local/bin/letsencrypt_renew 2>> /var/log/letsencrypt_renew.log

Final words

Don’t forget to verify that your SSL certificate and your nginx configurations are working correctly via ssltest from Qualys.

Blog Logo

Love Billingskog Nyberg


Published

Image

jacksoncage

A blog about sysadmin, devops, automation, containers and awesomeness!

Back to Overview