FUN WITH LINUX

Lets Encrypt

30 January 2016

Letsenrypt

Lets Encryptwas lately quite often in the media. Letsencrypt is a very easy to use tool which provides certificates for free. Those certificates are valid on most common browsers. I never understood why certificates are expensive that’s why I tried out letsencrypt(and I like it!).

In this article, I will replace all cacert-certificates on a kolab-server. Therefore I will install the letsencrypt-certificate on: apache2, cyrus-imapd and postfix.

Installing letsencrypt

I just used git to obtain the letsencrypt-script:

git clone https://github.com/letsencrypt/letsencrypt

Whenever letsencrypt is started it will search for dependencies and automatically install it using the package-manager of the Linux-distribution. So it’s wise to open the help-page first:

root@kolab:~/letsencrypt# ./letsencrypt-auto --help
Updating letsencrypt and virtual environment dependencies......
Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --help

  letsencrypt-auto [SUBCOMMAND] [options] [-d domain] [-d domain] ...

The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates. By
default, it will attempt to use a webserver both for obtaining and installing
the cert. Major SUBCOMMANDS are:

  (default) run Obtain & install a cert in your current webserver
  certonly Obtain cert, but do not install it (aka "auth")
  install Install a previously obtained cert in a server
  revoke Revoke a previously obtained certificate
  rollback Rollback server configuration changes made during install
  config_changes Show changes made to server config during installation
  plugins Display information about installed plugins

Choice of server plugins for obtaining and installing cert:

  --apache Use the Apache plugin for authentication & installation
  --standalone Run a standalone webserver for authentication
  (nginx support is experimental, buggy, and not installed by default)
  --webroot Place files in a server's webroot folder for authentication

OR use different plugins to obtain (authenticate) the cert and then install it:

  --authenticator standalone --installer apache

More detailed help:

  -h, --help [topic] print this message, or detailed help on a topic;
                        the available topics are:

   all, automation, paths, security, testing, or any of the subcommands or
   plugins (certonly, install, nginx, apache, standalone, webroot, etc)

Different Modes

Letsencrypt can just create and download a certificate(certonly) or it can create the certificate and install it on different services( at the moment only nginx and apache seems to be supported for this). There is a list in the letsencrypt-documentation which option just creates the certificate and which option also installs it.

How to authenticate the host

Every certification-authority has to validate if you are really the owner of the domain where you want to install the certificate. Sometimes you have to set an entry in your dns-zone, or you just get an email to one of the mail-addresses of this dns-zone. Letsencrypt is a script executed on the targethost. It will just call home using HTTPS. But then the letsencrypt-server has to call back to your host to validate if it is really yours. If you don’t have a webserver on your host, letsencrypt can create a temporary standalone webserver for you and does the authentication automatically. I already have a webserver installed, so I can use my apache-Installation. Letsencrypt has an option called webroot. If you use this option for authentication, you will have to provider the path to your webroot and letsencrypt will then just create a temporary and hidden directory(.well-known) in this webroot. Be aware that letsencrypt only uses HTTP for validation. So if your server just listens on port 443 it won’t work. Another option for authentication is manual. Using manual, one has to do the authentication by hand(I never tried that).

So let’s encrypt

./letsencrypt-auto certonly --rsa-key-size 4096 --webroot -w /var/www/html/ -d kolab.example.com

This command will create a certificate for kolab.example.com using the webroot /var/www/html for authentication. This certificate is stored in /etc/letsencrypt/live/kolab.example.com:

root@kolab:~/letsencrypt# ls -l /etc/letsencrypt/live/kolab.example.com/
total 0
lrwxrwxrwx 1 root root 42 Jan 28 15:34 cert.pem -> ../../archive/kolab.example.com/cert1.pem
lrwxrwxrwx 1 root root 43 Jan 28 15:34 chain.pem -> ../../archive/kolab.example.com/chain1.pem
lrwxrwxrwx 1 root root 47 Jan 28 15:34 fullchain.pem -> ../../archive/kolab.example.com/fullchain1.pem
lrwxrwxrwx 1 root root 45 Jan 28 15:34 privkey.pem -> ../../archive/kolab.example.com/privkey1.pem

Configuring the services

Apache2( >= 2.4.8 )

SSLCertificateFile /etc/letsencrypt/live/kolab.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/kolab.example.com/privkey.pem

Apache2( < 2.4.8 )

SSLCertificateFile /etc/letsencrypt/live/kolab.example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/kolab.example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/kolab.example.com/chain.pem

Nginx

ssl_certificate /etc/letsencrypt/live/kolab.example.com/fullchain.pem
ssl_certificate_key /etc/letsencrypt/live/kolab.example.com/privkey.pem

Postfix

smtpd_tls_cert_file=/etc/letsencrypt/live/kolab.example.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/kolab.example.com/privkey.pem
smtp_tls_cert_file=/etc/letsencrypt/live/kolab.example.com/fullchain.pem
smtp_tls_key_file=/etc/letsencrypt/live/kolab.example.com/privkey.pem

Cyrus Imapd

tls_server_cert: /etc/letsencrypt/live/kolab.example.com/cert.pem
tls_server_key: /etc/letsencrypt/live/kolab.example.com/privkey.pem
tls_server_ca_file: /etc/letsencrypt/live/kolab.example.com/chain.pem

DEBIAN-USERS: This won’t work out of the box. Cyrus needs to have set the group-permissions for the certificate-files correctly:

403119 4 drwxr-x--- 3 root ssl-cert 4096 Jan 28 15:34 /etc/letsencrypt/archive
403129 4 -rw-r--r-- 1 root ssl-cert 3272 Jan 28 15:34 /etc/letsencrypt/archive/kolab.example.com/privkey1.pem
403130 4 -rw-r--r-- 1 root ssl-cert 1675 Jan 28 15:34 /etc/letsencrypt/archive/kolab.example.com/chain1.pem
403128 4 -rw-r--r-- 1 root ssl-cert 2151 Jan 28 15:34 /etc/letsencrypt/archive/kolab.example.com/cert1.pem
403131 4 -rw-r--r-- 1 root ssl-cert 3826 Jan 28 15:34 /etc/letsencrypt/archive/kolab.example.com/fullchain1.pem
403120 4 drwxr-x--- 3 root ssl-cert 4096 Jan 28 15:34 /etc/letsencrypt/live

Renewal

Letsencrypt says on it’s page:

Let’s Encrypt CA issues short lived certificates (90 days). Make sure you renew the certificates at least once in 3 months.

Let’s create a renewal-script(/opt/letsrenew.sh):

#!/bin/bash
/opt/letsencrypt/letsencrypt-auto certonly --config /opt/letsencrypt/cli.ini --webroot -w /var/www/html/ -d kolab.example.com

service apache2 restart
service postfix restart
service cyrus-imapd restart

So we can just create a cronjob(At 00:00 on the 1st in Jan, Mar, May, Jul, Sep and Nov):

0 0 1 */2 * /opt/letsrenew.sh > /dev/null

Our /opt/letsencrypt/cli.ini looks like this:

agree-tos
renew-by-default = True
[ Mail  Sysadmin  Crypto  apache  Kolab  ]
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 Unported License.

Copyright 2015-present Hoti