For those in a rush: this blog post shows you how to use free SSL certificates and have then renew perpetually (in theory) so they are near zero hassle to use.
It is always nice to automate things. This saves you a lot of time and lets you concentrate on the things that actually matter and make a difference.
Renewing SSL certificates is one of those very important things that you don’t want to screw up and where, if you make a mistake, it could cost you dearly in terms of downtime or even money. Traditionally SSL certificates have been quite expensive so people have used HTTPS on their websites sparingly as a result.
Enter LetsEncrypt.
The Electronic Frontier Foundation; or EFF, came up with a great solution to this recurring problem. They became a certificate authority and provide the tools to, easily, automate the process of generation, signing, delivery and verification.
This project helps you encrypt communication between clients and servers via HTTPS. It is a necessary but not sufficient start in helping you achieve online anonymity; though not the only one required.
Best of all, the LetsEncrypt certificates are free which is very neat. The downside is they are only valid for a maximum of three months then need renewing. At CloudSigma we use these certificates but we have automated the renewal process so they are just as convenient as commercially paid for certificates to work with.
Here’s how to automate your deployment of these awesome certificates and, forget about this renewal overhead safely… at least for a while.
Installation of Certbot
First of all, you need to install the required software. It is easy enough in any major distros:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# CentOS7 / RHEL7 yum install certbot # Fedora 23 or > dnf install certbot # Debian 8 apt-get install certbot -t jessie-backports # Ubuntu 14.04/16.04 sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install certbot |
Configuration of NginX
Now, since NginX is not fully supported at the time of writing, we need to configure certbot to do all we want it to do and not suffer isues.
First, we will setup /etc/letsencrypt/cli.ini; which will contain all the default settings we want.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
# create configuration dir mkdir -m 775 /etc/letsencrypt # create configuration file cat < /etc/letsencrypt/cli.ini # Settings ## General no-redirect rsa-key-size = 4096 text = True ## Plugin authenticator = standalone installer = null standalone-preferred-challenges = tls-sni-01 ## automation agree-tos = True renew-by-default = True # Info email = me@example.tld EOF |
Please, remember to update “email” to the best email for this from your side.
Now, everytime we run certbot, it will be configured to use:
- standalone as the authenticator method
- manual installation method
- renew by default
So, the only thing left to provide is the domains. these were intentionally left out of the configuration (yes, you could add them there, if you like) and for a valid reason.
First of all, we’re using the standalone authentication method. This means that our NginX instance must be stopped so that this works. Don’t worry, it’s just a little bit of downtime depending on how many certificates you want to get.
So, next, we write the script that will renew/install the certificates for us and we will put it in: /usr/local/sbin/letsencrypt-renew; as per the Filesystem Hierarchy Standard 3.0.
|
1 2 3 4 5 6 7 8 9 10 11 |
#!/usr/bin/env bash # stop NginX systemctl stop nginx # renew certificates certbot -d example.tld -d www.example.tld -d downloads.example.tld -d mail.example.tld certbot -d someother.tld -d www.someother.tld -d webmail.someother.tld # start NginX systemctl start nginx |
Now, as you can see, you need to specify each and every sub-domain you will be using for a domain. The limit right now is 100 sub-domains per domain.
Keep in mind that:
- The first -d will determine the name of the certificate file. So, in my case, I will end up with example.tld.pem and someother.tld.pem.
- You can have 100 sub-domains in a domain; but you can, always, generate separate certificates. This means you can stick to one -d per call and you will get as many separate cert files as you need.
- It is much faster to have as many bundled certificates in one file than have many cert files.
- You can use these certificates for email.
- Beware of doing this too often. You will get “rate-limited” if you do ;D.
Now, the cron job!
|
1 2 3 4 5 |
# invoke crontab as root crontab -e # do this on a weekly basis. You've got 90 days so you could try @montly as well. @weekly /usr/local/sbin/letsencrypt-renew |
Done.
Summary
Here’s what we did:
- We installed certbot.
- We configured it with some sane defaults.
- We created a script that stops NginX, renews our certificates and starts NginX again (please note this only works only systemd-enabled systems)
- We created a cron job to run that script on a monthly basis (yes the certificates are valid for three months but with a monthly renewal you leave a two month buffer in case the process fails before the current certificate will expire)
References
- https://letsencrypt.org/docs/rate-limits/
- http://refspecs.linuxfoundation.org/FHS_3.0/fhs/index.html
- How to Deploy your Virtual Infrastructure at CloudSigma with Terraform - March 15, 2021
- Testing out rook/EdgeFS + NFS (RTRD) on Minikube - May 7, 2020
- Automate LetsEncrypt SSL Certificate Renewals for NginX - May 22, 2017
- A How-to Guide: Connect VPN Network to CloudSigma Infrastructure - July 15, 2016
- HowTo: CGroups - December 29, 2015