Lets Encryptwas lately quite often in the media. Letsencrypt is a very easy to use tool which provides certificates for free. Those certificates are valid on most common browsers. I never understood why certificates are expensive that’s why I tried out letsencrypt(and I like it!).
In this article, I will replace all cacert-certificates on a kolab-server. Therefore I will install the letsencrypt-certificate on: apache2, cyrus-imapd and postfix.
I just used git to obtain the letsencrypt-script:
git clone https://github.com/letsencrypt/letsencrypt
Whenever letsencrypt is started it will search for dependencies and automatically install it using the package-manager of the Linux-distribution. So it’s wise to open the help-page first:
root@kolab:~/letsencrypt# ./letsencrypt-auto --help Updating letsencrypt and virtual environment dependencies...... Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --help letsencrypt-auto [SUBCOMMAND] [options] [-d domain] [-d domain] ... The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the cert. Major SUBCOMMANDS are: (default) run Obtain & install a cert in your current webserver certonly Obtain cert, but do not install it (aka "auth") install Install a previously obtained cert in a server revoke Revoke a previously obtained certificate rollback Rollback server configuration changes made during install config_changes Show changes made to server config during installation plugins Display information about installed plugins Choice of server plugins for obtaining and installing cert: --apache Use the Apache plugin for authentication & installation --standalone Run a standalone webserver for authentication (nginx support is experimental, buggy, and not installed by default) --webroot Place files in a server's webroot folder for authentication OR use different plugins to obtain (authenticate) the cert and then install it: --authenticator standalone --installer apache More detailed help: -h, --help [topic] print this message, or detailed help on a topic; the available topics are: all, automation, paths, security, testing, or any of the subcommands or plugins (certonly, install, nginx, apache, standalone, webroot, etc)
Letsencrypt can just create and download a certificate(certonly) or it can create the certificate and install it on different services( at the moment only nginx and apache seems to be supported for this). There is a list in the letsencrypt-documentation which option just creates the certificate and which option also installs it.
How to authenticate the host
Every certification-authority has to validate if you are really the owner of the domain where you want to install the certificate. Sometimes you have to set an entry in your dns-zone, or you just get an email to one of the mail-addresses of this dns-zone. Letsencrypt is a script executed on the targethost. It will just call home using HTTPS. But then the letsencrypt-server has to call back to your host to validate if it is really yours. If you don’t have a webserver on your host, letsencrypt can create a temporary standalone webserver for you and does the authentication automatically. I already have a webserver installed, so I can use my apache-Installation. Letsencrypt has an option called webroot. If you use this option for authentication, you will have to provider the path to your webroot and letsencrypt will then just create a temporary and hidden directory(.well-known) in this webroot. Be aware that letsencrypt only uses HTTP for validation. So if your server just listens on port 443 it won’t work. Another option for authentication is manual. Using manual, one has to do the authentication by hand(I never tried that).
So let’s encrypt
./letsencrypt-auto certonly --rsa-key-size 4096 --webroot -w /var/www/html/ -d kolab.example.com
This command will create a certificate for kolab.example.com using the webroot /var/www/html for authentication. This certificate is stored in /etc/letsencrypt/live/kolab.example.com:
root@kolab:~/letsencrypt# ls -l /etc/letsencrypt/live/kolab.example.com/ total 0 lrwxrwxrwx 1 root root 42 Jan 28 15:34 cert.pem -> ../../archive/kolab.example.com/cert1.pem lrwxrwxrwx 1 root root 43 Jan 28 15:34 chain.pem -> ../../archive/kolab.example.com/chain1.pem lrwxrwxrwx 1 root root 47 Jan 28 15:34 fullchain.pem -> ../../archive/kolab.example.com/fullchain1.pem lrwxrwxrwx 1 root root 45 Jan 28 15:34 privkey.pem -> ../../archive/kolab.example.com/privkey1.pem
Configuring the services
Apache2( >= 2.4.8 )
SSLCertificateFile /etc/letsencrypt/live/kolab.example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/kolab.example.com/privkey.pem
Apache2( < 2.4.8 )
SSLCertificateFile /etc/letsencrypt/live/kolab.example.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/kolab.example.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/kolab.example.com/chain.pem
ssl_certificate /etc/letsencrypt/live/kolab.example.com/fullchain.pem ssl_certificate_key /etc/letsencrypt/live/kolab.example.com/privkey.pem
smtpd_tls_cert_file=/etc/letsencrypt/live/kolab.example.com/fullchain.pem smtpd_tls_key_file=/etc/letsencrypt/live/kolab.example.com/privkey.pem smtp_tls_cert_file=/etc/letsencrypt/live/kolab.example.com/fullchain.pem smtp_tls_key_file=/etc/letsencrypt/live/kolab.example.com/privkey.pem
tls_server_cert: /etc/letsencrypt/live/kolab.example.com/cert.pem tls_server_key: /etc/letsencrypt/live/kolab.example.com/privkey.pem tls_server_ca_file: /etc/letsencrypt/live/kolab.example.com/chain.pem
DEBIAN-USERS: This won’t work out of the box. Cyrus needs to have set the group-permissions for the certificate-files correctly:
403119 4 drwxr-x--- 3 root ssl-cert 4096 Jan 28 15:34 /etc/letsencrypt/archive 403129 4 -rw-r--r-- 1 root ssl-cert 3272 Jan 28 15:34 /etc/letsencrypt/archive/kolab.example.com/privkey1.pem 403130 4 -rw-r--r-- 1 root ssl-cert 1675 Jan 28 15:34 /etc/letsencrypt/archive/kolab.example.com/chain1.pem 403128 4 -rw-r--r-- 1 root ssl-cert 2151 Jan 28 15:34 /etc/letsencrypt/archive/kolab.example.com/cert1.pem 403131 4 -rw-r--r-- 1 root ssl-cert 3826 Jan 28 15:34 /etc/letsencrypt/archive/kolab.example.com/fullchain1.pem 403120 4 drwxr-x--- 3 root ssl-cert 4096 Jan 28 15:34 /etc/letsencrypt/live
Letsencrypt says on it’s page:
Let’s Encrypt CA issues short lived certificates (90 days). Make sure you renew the certificates at least once in 3 months.
Let’s create a renewal-script(/opt/letsrenew.sh):
#!/bin/bash /opt/letsencrypt/letsencrypt-auto certonly --config /opt/letsencrypt/cli.ini --webroot -w /var/www/html/ -d kolab.example.com service apache2 restart service postfix restart service cyrus-imapd restart
So we can just create a cronjob(At 00:00 on the 1st in Jan, Mar, May, Jul, Sep and Nov):
0 0 1 */2 * /opt/letsrenew.sh > /dev/null
Our /opt/letsencrypt/cli.ini looks like this:
agree-tos renew-by-default = True