captainepoch's log

Let’s Encrypt certificates!

Introduction

As you may know I’m a little concern about my privacy. And you should too, because your data, your life. So, in order to provide a secure and private connection to my sites, I needed a SSL certificate, which it’s too expensive. Of course there’re free solutions, but they don’t provide a reliable SSL certificate or free wildcard support.

Then, Let’s Encrypt appeared in this game. They provide an Open Source, free, reliable SSL certificates for your websites. It’s wonderful! So, my friend Rafa and me asked for the beta (Let’s Encrypt will be relased for the public on 16th november’s week).

After the private beta period, on 3rd december Let’s Encrypt relased the Open Beta program, which you can see here.

Set up

Let’s do it!

What do you need?

In order to generate your certs, you will need some stuff:

Download the software

I, like Rafa, chose to download the software and generate all the files locally, so in your computer, you have to do:

$ git clone https://github.com/letsencrypt/letsencrypt

It contains the tools you will need to generate your certificates. Remember that certs have 90 days of lifetime, so each 3 months, more or less, you must update it!.

Usage

I changed the way I generated the last certificate, so I could do in just one line on the terminal:

$ ./letsencrypt-auto certonly --manual --email YOUR_EMAIL -d DOMAIN_1 [-d DOMAIN_2, ...]

I usually do it at my main machine with ArchLinux or in my MacBook Pro, but if you do at FreeBSD or Amazon Linux Ami, it’s the same command with the --debug flag:

$ ./letsencrypt-auto certonly --debug --manual --email YOUR_EMAIL -d DOMAIN_1 [-d DOMAIN_2, ...]

Let’s going to explain this:

This will setup the virtual environment that letsencrypt will use in all future executions. Once that’s done, you’re asked to run a few commands on the server in order to get the auth to validate the cert(s). Follow the instructions to put the token into your server, they’re clear.

After that you need to release the 80 port. Why? Because all the petitios to validate the cert will be done there. So:

$ sudo service nginx stop

Obviously, you’ll have a little downtime. But no worries! It’s for your users, and that’s the most important part of a website!

And then run this command (note it has to be run as root, and I still don’t know why…):

$ sudo $(command -v python2 || command -v python2.7 || command -v python2.6) -c "import BaseHTTPServer, SimpleHTTPServer;s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler);s.serve_forever()"

Then, in Terminal, press Enter after doing the steps Let’s Encrypt told you, et voil√°!, authenticated and certificate generated (do the same steps for every domain you put, it’s important because each domain generate its own token). The server is not needed anymore, so simply interrupt its execution.

Copying to the server

Given that I am generating the certificate in my own computer instead of in the server itself, I have to copy things around. The letsencrypt tool tells you that your certificates live in /etc/letsencrypt/live/YOUR_DOMAIN. The files there are actually symbolic links to /etc/letsencrypt/archive/YOUR_DOMAIN/fileX.pem.

Now, I’m just going to copy two files to the server, because once you put 3 or 4 domains, they use the same certificate. Here is the files you have to copy to the server:

fullchain.pem ~> /etc/ssl/adol_pw.pem
privkey.pem ~> /etc/ssl/adol_pw.key

Nginx setup

I don’t use Apache, so I don’t know how to make it work there

Edit the file you want to incorporate the SSL certificate (in my case it’s main’s website config):

server {
    listen 80;
    server_name adol.pw;

    return 301 https://$host$request_uri$is_args$args;
}

server {
    listen 443 ssl;
    server_name adol.pw;

    ssl on;
    ssl_certificate /etc/ssl/adol_pw.pem;
    ssl_certificate_key /etc/ssl/adol_pw.key;
    ...
}

As you might see, I (like Rafa, again) chose to do a redirect if you access by http instead of https, and at ssl_certificate and ssl_certificate_key put the path for your certificate files. Now, do a:

$ sudo service nginx start

And you have now a valid, reliable and free SSL certificate!

Adding new domains

If you did everything but you forgot adding another domain, simply run everything again but with another -d DOMAIN_N flag.

Renewal

Recently I had to renew certs for the domains I registered the first time. If you try to renew with the system I posted here, it fails. A fix for that is renewing the certs by running this:

$ ./letsencrypt-auto renew --manual-public-ip-logging-ok

Why? I don’t know. But @rmed_dev told me that It doesn’t fail. If you execute without that flag, it’s going to say this:

``` 2016-02-28 08:43:21,803:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/blog.adol.pw.conf produced an unexpected error: Missing command line flag or config entry for this setting: NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you’re running letsencrypt in manual mode on a machine that is not your server, please ensure you’re okay with that.

Are you OK with your IP being logged?

(You can set this with the –manual-public-ip-logging-ok flag). Skipping. ````

Acknowledge

This tutorial is provided by Rafael aka @rmed_dev, which with his permission I publish here. I modified to adapt it to my website and improvements, by the way. Thank you for making it!

Also, thank you, Sergio for the command for FreeBSD and Amazon Linux Ami and the corrections you made to this article!

And finally, thank you, Let’s Encrypt, for making the private beta available for me. I’m waiting for the final and public release too!


UPDATE 04-DIC-2015: On 3rd december, Let’s Encrypt went to open beta for the public, so I changed many stuff here to adapt to the new commandline and the text itself.

UPDATE 09-DIC-2015: Minor fixes.

UPDATE 28-FEB-2016: added “Adding new domains” and Renewal”. Some typos.”

UPDATE 13-AUG-2016: new blog template, a few changes on the post.