Tech/Services/Let’s Encrypt

From lathama
Jump to navigation Jump to search

About

Let’s Encrypt is a global Certificate Authority (CA). We let people and organizations around the world obtain, renew, and manage SSL/TLS certificates. Our certificates can be used by websites to enable secure HTTPS connections.

Let’s Encrypt offers Domain Validation (DV) certificates. We do not offer Organization Validation (OV) or Extended Validation (EV) primarily because we cannot automate issuance for those types of certificates.

Note that the move to drive faster certificate automation is more interesting than "free". A website can benefit by having a new certificate every month or so.


DNS CAA

lathama.net.	CAA	0 issue "letsencrypt.org"
                        0 iodef "mailto:security@lathama.net"

DHParameters

See Tech/HowTo/Diffie-Hellman for more info. 

SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem"

Apache

Apache has an alias rule that lets you bypass all the configs to capture the .well-known directory. This enables you to have an HTTP to HTTPS redirect and still let certbot rock and roll. Example given: 

SSLCipherSuite AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH

SSLProtocol -ALL -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2

SSLHonorCipherOrder on
# SSLStrictSNIVHostCheck on
SSLCompression off

SSLStaplingCache shmcb:/tmp/stapling_cache(128000)

SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem"

Alias /.well-known/ "/var/www/html/wellknown/.well-known/"
<Directory "/var/www/html/wellknown/">
 AllowOverride None
 Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
 Require method GET POST OPTIONS
</Directory>

Certbot 

python3 /usr/local/bin/certbot certonly --webroot -w /var/www/html/wellknown/ --agree-tos --no-eff-email --email security@gringomalvado.com -d gringomalvado.com -d www.gringomalvado.com

Note that you would fetch the cert without the TLS virtual host configured and then enable it when the certs exist to keep Apache calm. gringomalvado.com.conf 

<VirtualHost *:80>
 ServerName gringomalvado.com
 ServerAlias *.gringomalvado.com
 ServerAdmin lathama@gmail.com
 DocumentRoot /var/www/html/gringomalvado.com
 ErrorLog ${APACHE_LOG_DIR}/gringomalvado.com.error.log
 CustomLog ${APACHE_LOG_DIR}/gringomalvado.com.access.log combined
 Redirect / https://gringomalvado.com/
</VirtualHost>

<VirtualHost *:443>
 ServerName gringomalvado.com
 ServerAlias *.gringomalvado.com
 ServerAdmin lathama@gmail.com
 DocumentRoot /var/www/html/gringomalvado.com
 ErrorLog ${APACHE_LOG_DIR}/gringomalvado.com.error.log
 CustomLog ${APACHE_LOG_DIR}/gringomalvado.com.access.log combined
 SSLEngine on
 SSLCertificateFile      /etc/letsencrypt/live/gringomalvado.com/cert.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/gringomalvado.com/privkey.pem
 SSLCertificateChainFile /etc/letsencrypt/live/gringomalvado.com/chain.pem
 SSLUseStapling on
 SSLStaplingResponderTimeout 5
 SSLStaplingReturnResponderErrors off
</VirtualHost>

/etc/letsencrypt/renewal/gringomalvado.com.conf 

# renew_before_expiry = 30 days
version = 0.20.0
archive_dir = /etc/letsencrypt/archive/gringomalvado.com
cert = /etc/letsencrypt/live/gringomalvado.com/cert.pem
privkey = /etc/letsencrypt/live/gringomalvado.com/privkey.pem
chain = /etc/letsencrypt/live/gringomalvado.com/chain.pem
fullchain = /etc/letsencrypt/live/gringomalvado.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
installer = None
account = redacted
webroot_path = /var/www/html/wellknown,
authenticator = webroot
[[webroot_map]]
gringomalvado.com = /var/www/html/wellknown
www.gringomalvado.com = /var/www/html/wellknown

Certbot

certbot certonly --standalone --email security@lathama.net -d lathama.net -d www.lathama.net

Note I found that pip can get in a bad place on some systems so using Python3 is a must to clean up the mess. 

python3 /usr/local/bin/certbot certonly --standalone --agree-tos --no-eff-email --email security@lathama.net -d lathama.net -d www.lathama.net

Using webroot is better so here... 

python3 /usr/local/bin/certbot certonly --webroot -w /var/www/html/curatedurls.com/ --agree-tos --no-eff-email --email security@curatedurls.com -d curatedurls.com -d www.curatedurls.com

Look at the renewal scripts via 

/etc/cron.d/certbot

The logs are in 

/var/log/letsencrypt
Retrieved from "https://lathama.net/index.php?title=Tech/Services/Let’s_Encrypt&oldid=185"