Let’s Encrypt , what a genius!
What is this?
Let’s Encrypt is a Certification Authority that will revolution the concept of CA.
The project is open source, automated, and completely free.
How does it work?
I assume that you already know the operation of the HTTPS protocol. Well, the verification system of the allocation of the certificate is a simple process, client / server and expires every 90 days; to find out why this specific number check out the FAQ of our website.
The lords of Let’s Encrypt have already done agreements with all the browsers in fact the Root CA is already installed in them.
The certificate request and the following renewals can be automated using the client but only for Apache, it is possible to automate this using a bash script.
I forgot to say that Let’s Encrypt works only on Unix-based systems that have Python available.
The operation is quite simple, it all happens between the CA server and the client. While you are applying the client communicates with the CA starting a dialogue (challenge), the client asks Let’s the nonce, let’s send it to the client and asks him to sign it with your private key, then Let’s create a file in a specific path of the web server. Once the nonce is signed, Let’s download the file that had previously sent, verify the goodness of both, and if all went well it declare the web server as the owner of the selected name.
How to get a valid certificate
To get our valid certificate we need two fundamental things: a domain and a
server accessible from the web.
There are two solutions To create a valid certificate.
use Let’s encrypt installed on the server or a docker containers for the more paranoid, here we will see the classical solution of the installed client.
Now begin with the installation of Let’s encrypt which needs also the installation of their client (it is shared on github)…
$ sudo apt-get install git $ cd /opt $ git clone https://github.com/letsencrypt/letsencrypt
Once installed, proceed with the request for a certificate.
Among the various procedures available we will use the one which impacts less on a web server configuration already existent. The certificate generation without the apache configuration.
to create the certificate the web server must be listening on port 443 , in fact the client during the procedure using an https server for the validation process.
$ /opt/letsencrypt/letsencrypt-auto certonly --text --standalone --standalone-supported-challenges tls-sni-01 --domain www.oneos.it --email firstname.lastname@example.org --renew-by-default
If the key generation and the Let’s Encrypt certificate has been done successfully, we will find our three files here.
$ cd /etc/letsencrypt/live/www.oneos.it $ ls -la totale 8 drwxr-xr-x 2 root root 4096 gen 10 11:36 ./ drwx------ 3 root root 4096 gen 10 11:36 ../ lrwxrwxrwx 1 root root 36 gen 10 11:36 cert.pem -> ../../archive/www.oneos.it/cert.pem lrwxrwxrwx 1 root root 37 gen 10 11:36 chain.pem -> ../../archive/www.oneos.it/chain.pem lrwxrwxrwx 1 root root 41 gen 10 11:36 fullchain.pem -> ../../archive/www.oneos.it/fullchain.pem lrwxrwxrwx 1 root root 39 gen 10 11:36 privkey.pem -> ../../archive/www.oneos.it/privkey.pem
Now we just have to use these certificates to our Apache configuration.
SSLEngine on SSLCertificateFile /etc/letsencrypt/live/www.oneos.it/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.oneos.it/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/www.oneos.it/chain.pem
Verify your certification.
Automate the certification system renewal
It’s not up to me to discover the hot water so I fished out the net a script for automating the renewal of certificates of Let’s Encrypt , this is the URL : le_renew.
Now we only have to add it in a cronjob to automatically launch it. Save the file in the letsencrypt tools directory.
$ cd /etc/cron.daily $ touch le_renew $ chmod 755 le_renew $ mkdir /var/log/letsencrypt
#!/bin/sh /root/letsencrypt/tools/le_renew www.oneos.it >> /var/log/letsencrypt/lerenew.log