Let's Encrypt

From WebarchDocs
Jump to navigation Jump to search

Some notes on using Let's Encrypt.

An ACME Shell script: acme.sh

The acme.sh Bash script is a very easy tool to install and use for Let's Encrypt certs, for example, install the script: 

sudo -i
wget -O - https://get.acme.sh | sh
source ~/.bashrc

Create a directory for the authorization files and certs and setup the web server and then generate a private key and get a cert: 

sudo -i
mkdir /etc/ssl/le ; chmod 700 /etc/ssl/le 
mkdir /var/www/le
acme.sh --issue -d example.org -d www.example.org \
  -d example.com -d www.example.com -w /var/www/le

Update the webserver to use the new certs and then use this command to copy them into the right lace and restart the server: 

acme.sh --installcert -d example.org \
  --certpath /etc/ssl/le/example.crt.pem \
  --keypath /etc/ssl/le/example.key.pem \
  --fullchainpath /etc/ssl/le/example.chain.pem \
  --reloadcmd 'service apache2 force-reload'

This will append the following to /root/.bashrc: 

. "/root/.acme.sh/acme.sh.env"

And create the following root cron job: 

0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

And the configuration will be written to /root/.acme.sh/rt.webarch.net/examle.org.conf.

Cert Fingerprint

Some applications will prompt for the new cert fingerprint to be checked, you can generate a fingerprint on the server like this: 

openssl x509 -noout -fingerprint -in /etc/ssl/example.crt.pem

And if you use a script to reload the webserver you can also use this to generate a the fingerprint, for example: 

#!/bin/bash
# md5sum
openssl x509 -noout -fingerprint -in /etc/ssl/example.crt.pem -md5 > /var/www/example.fingerprint.txt
# sha1
openssl x509 -noout -fingerprint -in /etc/ssl/example.crt.pem -sha1 >> /var/www/example.fingerprint.txt
# sha256
openssl x509 -noout -fingerprint -in /etc/ssl/example.crt.pem -sha256 >> /var/www/example.fingerprint.txt
# restart apache
apache service reload

And then this can be included into a webpage, for example using SSI: 

TLS certificate fingerprint, updated on 
<!--#flastmod file="/var/www/example.fingerprint.txt" -->: 
<!--#include virtual="/var/www/example.fingerprint.txt" -->

Apache

Apache Redirect Everything but ACME Requests

The ACME protocol runs on port 80 but you want the site to only be available via port 443, so redirect everything on port 80, apart from Let's Encrypt requests, to 443: 

RedirectMatch ^/(?!\.well-known\/acme-challenge\/)(.*) https://example.org/$1

And if you also want to allow access to the Apache server status page for Munin: 

RedirectMatch ^/(?![server-status|\.well-known\/acme-challenge\/])(.*) https://example.org/$1

See the PCRE documentation for an explanation of these regular expressions.

Minimal Port 80 VirtualHost

If you are only running a server on port 80 for Let's Encrypt and redirects then it can be a very minimal VirtualHost: 

<VirtualHost *:80>
  ServerName example.org

  RedirectMatch ^/(?!\.well-known\/acme-challenge\/)(.*) https://example.org/$1

  DocumentRoot /var/www/le
  <Directory /var/www/le>
          Options None
          AllowOverride None
          ForceType text/plain
  </Directory>

</VirtualHost>

Nginx

Nginx Redirect Everything but ACME Requests

server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;
        root /var/www;

        location /.well-known/acme-challenge/ {
                allow all;
        }

        location / {
                return 301 https://{{ hostname }}$request_uri;
        }
}
Retrieved from "https://docs.webarch.net/w/index.php?title=Let%27s_Encrypt&oldid=1055"