Let's Encrypt

From Gentoo Wiki
Jump to: navigation, search
This page contains changes which are not marked for translation.


certbot, previously known as Let's Encrypt client, is a free, automated, and open certificate authority client.

From the official website: "Anyone who has gone through the trouble of setting up a secure website knows what a hassle getting and maintaining a certificate can be. Let’s Encrypt automates away the pain and lets site operators turn on and manage HTTPS with simple commands."[1]

Preliminary

Point an external IP at HTTP (port 80/TCP) and HTTPS (port 443/TCP) at a web server and setup DNS for it. This is important. You have to prove you own the IP/domain. You could use dynamic DNS if necessary.

Installation

certbot

Emerge

Tip
The ebuild for the official client can be tricky to set up. It is helpful to read the official documentation and official installation instructions (select Gentoo from the Operating System dropdown) before proceeding with this article.
root #emerge --ask app-crypt/certbot

acme-tiny (optional)

app-crypt/acme-tiny is a short, auditable Python script which avoids a lot of the bloat included in the official client.

Prerequisites

It is currently available in the NP-Hardass' overlay:

root #layman -a np-hardass-overlay

Emerge

root #emerge --ask app-crypt/acme-tiny

Configuration

acme-tiny

The documentation on [1] is the best place to look for the most up to date information, but has been summarized below:

Make a directory for challenges to be created in:

root #mkdir /var/www/localhost/acme-challenge/

Add this to the Apache http vhost; IE port 80 vhost:

FILE /etc/apache2/vhosts.d/00_default_vhost.confChallenge alias in Apache
Alias /.well-known/acme-challenge/ /var/www/localhost/acme-challenge/ 

<Directory /var/www/localhost/acme-challenge/> 
       AllowOverride None 
       Require all granted 
</Directory>

Set these in the Apache https vhost; IE port 443 vhost:

FILE /etc/apache2/vhosts.d/00_default_ssl_vhost.confSSL certificate settings for Apache
SSLCertificateFile /var/lib/letsencrypt/chained.pem
SSLCertificateKeyFile /var/lib/letsencrypt/domain.key

Make a directory to hold the various files related to LE:

root #mkdir /var/lib/letsencrypt
root #cd /var/lib/letsencrypt

Create an account key, domain key and a CSR (replace www.example.co.uk with your host name):

root #openssl genrsa 4096 > account.key
root #openssl genrsa 4096 > domain.key

Register and create the various certificate files: Check let's encrypt currently used intermediate certificate

root #/usr/bin/acme-tiny --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/localhost/acme-challenge/ > ./signed.crt
root #cat signed.crt intermediate.pem > chained.pem

Reload configs for webserver:

root #service apache2 reload

or

root #service nginx reload

or

root #service lighttpd reload

Sample renewal script:

FILE /usr/bin/local/renew-le-certLetsEncrypt Cert renew script
#!/bin/sh
/usr/bin/acme-tiny --account-key /var/lib/letsencrypt/account.key --csr /var/lib/letsencrypt/domain.csr --acme-dir /var/www/localhost/acme-challenge/ > /var/lib/letsencrypt/signed.crt || exit
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat /var/lib/letsencrypt/signed.crt intermediate.pem > /var/lib/letsencrypt/chained.pem
service apache2 reload

Add a monthly cron job:

FILE CRONJOB
# Renew Lets Encrypt certificate
0 0 1 * * /usr/local/bin/renew-le-cert.sh 2>> /var/log/acme_tiny.log

Usage

certbot

Invocation

user $certbot --help
letsencrypt [SUBCOMMAND] [options] [-d domain] [-d domain] ...

The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates.  By
default, it will attempt to use a webserver both for obtaining and installing
the cert. Major SUBCOMMANDS are:

  (default) run        Obtain & install a cert in your current webserver
  certonly             Obtain cert, but do not install it (aka "auth")
  install              Install a previously obtained cert in a server
  revoke               Revoke a previously obtained certificate
  rollback             Rollback server configuration changes made during install
  config_changes       Show changes made to server config during installation
  plugins              Display information about installed plugins

Choice of server plugins for obtaining and installing cert:

  (the apache plugin is not installed)
  --standalone      Run a standalone webserver for authentication
  (nginx support is experimental, buggy, and not installed by default)
  --webroot         Place files in a server's webroot folder for authentication

OR use different plugins to obtain (authenticate) the cert and then install it:

  --authenticator standalone --installer apache

More detailed help:

  -h, --help [topic]    print this message, or detailed help on a topic;
                        the available topics are:

   all, automation, paths, security, testing, or any of the subcommands or
   plugins (certonly, install, nginx, apache, standalone, webroot, etc)

acmetiny

For those that are not interested in using scripts or want to configure things manually the first time, the author of acme-tiny has provided a webpage that gives step by step instructions along with javascript to help walk you through setting up your certificates. The guide may be found on Get HTTPS for Free website.

See also

  • Apache - The most popular HTTP server used the Internet.
  • Nginx - A small, robust, and high-performance HTTP server and reverse proxy.
  • Lighttpd - a very lightweight HTTP server.

External resources

  • Manual installation - In the event manual installation is preferred. Note: Portage will not track the installation if the Let's Encrypt is manually installed; this is not recommended by Gentoo developers.

References