Lets Encryptwas lately quite often in the media. Letsencrypt is a very easy to use tool which provides certificates for free. Those certificates are valid on most common browsers. I never understood why certificates are expensive that’s why I tried out letsencrypt(and I like it!).
In this article, I will replace all cacert-certificates on a kolab-server. Therefore I will install the letsencrypt-certificate on: apache2, cyrus-imapd and postfix.
Installing letsencrypt
I just used git to obtain the letsencrypt-script:
git clone https://github.com/letsencrypt/letsencrypt
Whenever letsencrypt is started it will search for dependencies and automatically install it using the package-manager of the Linux-distribution. So it’s wise to open the help-page first:
root@kolab:~/letsencrypt# ./letsencrypt-auto --help
Updating letsencrypt and virtual environment dependencies......
Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --help
letsencrypt-auto [SUBCOMMAND] [options] [-d domain] [-d domain] ...
The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates. By
default, it will attempt to use a webserver both for obtaining and installing
the cert. Major SUBCOMMANDS are:
(default) run Obtain & install a cert in your current webserver
certonly Obtain cert, but do not install it (aka "auth")
install Install a previously obtained cert in a server
revoke Revoke a previously obtained certificate
rollback Rollback server configuration changes made during install
config_changes Show changes made to server config during installation
plugins Display information about installed plugins
Choice of server plugins for obtaining and installing cert:
--apache Use the Apache plugin for authentication & installation
--standalone Run a standalone webserver for authentication
(nginx support is experimental, buggy, and not installed by default)
--webroot Place files in a server's webroot folder for authentication
OR use different plugins to obtain (authenticate) the cert and then install it:
--authenticator standalone --installer apache
More detailed help:
-h, --help [topic] print this message, or detailed help on a topic;
the available topics are:
all, automation, paths, security, testing, or any of the subcommands or
plugins (certonly, install, nginx, apache, standalone, webroot, etc)
Different Modes
Letsencrypt can just create and download a certificate(certonly) or it can create the certificate and install it on different services( at the moment only nginx and apache seems to be supported for this). There is a list in the letsencrypt-documentation which option just creates the certificate and which option also installs it.
How to authenticate the host
Every certification-authority has to validate if you are really the owner of the domain where you want to install the certificate. Sometimes you have to set an entry in your dns-zone, or you just get an email to one of the mail-addresses of this dns-zone. Letsencrypt is a script executed on the targethost. It will just call home using HTTPS. But then the letsencrypt-server has to call back to your host to validate if it is really yours. If you don’t have a webserver on your host, letsencrypt can create a temporary standalone webserver for you and does the authentication automatically. I already have a webserver installed, so I can use my apache-Installation. Letsencrypt has an option called webroot. If you use this option for authentication, you will have to provider the path to your webroot and letsencrypt will then just create a temporary and hidden directory(.well-known) in this webroot. Be aware that letsencrypt only uses HTTP for validation. So if your server just listens on port 443 it won’t work. Another option for authentication is manual. Using manual, one has to do the authentication by hand(I never tried that).
So let’s encrypt
./letsencrypt-auto certonly --rsa-key-size 4096 --webroot -w /var/www/html/ -d kolab.example.com
This command will create a certificate for kolab.example.com using the webroot /var/www/html for authentication. This certificate is stored in /etc/letsencrypt/live/kolab.example.com:
root@kolab:~/letsencrypt# ls -l /etc/letsencrypt/live/kolab.example.com/
total 0
lrwxrwxrwx 1 root root 42 Jan 28 15:34 cert.pem -> ../../archive/kolab.example.com/cert1.pem
lrwxrwxrwx 1 root root 43 Jan 28 15:34 chain.pem -> ../../archive/kolab.example.com/chain1.pem
lrwxrwxrwx 1 root root 47 Jan 28 15:34 fullchain.pem -> ../../archive/kolab.example.com/fullchain1.pem
lrwxrwxrwx 1 root root 45 Jan 28 15:34 privkey.pem -> ../../archive/kolab.example.com/privkey1.pem
Configuring the services
Apache2( >= 2.4.8 )
SSLCertificateFile /etc/letsencrypt/live/kolab.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/kolab.example.com/privkey.pem
Apache2( < 2.4.8 )
SSLCertificateFile /etc/letsencrypt/live/kolab.example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/kolab.example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/kolab.example.com/chain.pem
Nginx
ssl_certificate /etc/letsencrypt/live/kolab.example.com/fullchain.pem
ssl_certificate_key /etc/letsencrypt/live/kolab.example.com/privkey.pem
Postfix
smtpd_tls_cert_file=/etc/letsencrypt/live/kolab.example.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/kolab.example.com/privkey.pem
smtp_tls_cert_file=/etc/letsencrypt/live/kolab.example.com/fullchain.pem
smtp_tls_key_file=/etc/letsencrypt/live/kolab.example.com/privkey.pem
Cyrus Imapd
tls_server_cert: /etc/letsencrypt/live/kolab.example.com/cert.pem
tls_server_key: /etc/letsencrypt/live/kolab.example.com/privkey.pem
tls_server_ca_file: /etc/letsencrypt/live/kolab.example.com/chain.pem
DEBIAN-USERS: This won’t work out of the box. Cyrus needs to have set the group-permissions for the certificate-files correctly:
403119 4 drwxr-x--- 3 root ssl-cert 4096 Jan 28 15:34 /etc/letsencrypt/archive
403129 4 -rw-r--r-- 1 root ssl-cert 3272 Jan 28 15:34 /etc/letsencrypt/archive/kolab.example.com/privkey1.pem
403130 4 -rw-r--r-- 1 root ssl-cert 1675 Jan 28 15:34 /etc/letsencrypt/archive/kolab.example.com/chain1.pem
403128 4 -rw-r--r-- 1 root ssl-cert 2151 Jan 28 15:34 /etc/letsencrypt/archive/kolab.example.com/cert1.pem
403131 4 -rw-r--r-- 1 root ssl-cert 3826 Jan 28 15:34 /etc/letsencrypt/archive/kolab.example.com/fullchain1.pem
403120 4 drwxr-x--- 3 root ssl-cert 4096 Jan 28 15:34 /etc/letsencrypt/live
Renewal
Letsencrypt says on it’s page:
Let’s Encrypt CA issues short lived certificates (90 days). Make sure you renew the certificates at least once in 3 months.
Let’s create a renewal-script(/opt/letsrenew.sh):
#!/bin/bash
/opt/letsencrypt/letsencrypt-auto certonly --config /opt/letsencrypt/cli.ini --webroot -w /var/www/html/ -d kolab.example.com
service apache2 restart
service postfix restart
service cyrus-imapd restart
So we can just create a cronjob(At 00:00 on the 1st in Jan, Mar, May, Jul, Sep and Nov):
0 0 1 */2 * /opt/letsrenew.sh > /dev/null
Our /opt/letsencrypt/cli.ini looks like this:
agree-tos
renew-by-default = True