LetsEncrypt
Contents
Certbot
About
Protocols
- ACME v1 (Deprecated in June 2020)
ACME v2 (RFC 8555)
Hints
- If you are using wildcard-certificates you should always quote your domain-names to prevent shell expansion.
- Wildcard certificates:
For wildcard certs the only method to challenge the request is dns.
The only appropriate plugin for wildcard-certificates is --manual.
- When integrating the TXT-records in your zone, don't forget to increase serial. Leave the TXT-records them in place for the renewal to be successful.
A wildcard dns-name may only contain a single wildcard character and the resource record has to start with it IETF: The Role of Wildcards in the Domain Name System Interesting Sections: 2.1.1, 4.5
If you are using DANE TLSA-Records with Let's Encrypt, you should add the option --reuse-key, to make sure your certificate fingerprint doesn't change on renewal.
Installation
For Apache2:
1 aptitude install ssl-cert certbot python-certbot-apache
For Nginx:
1 aptitude install ssl-cert certbot python-certbot-nginx
Configuration
Prepare DNS records first! This may be an A or CNAME record.
Retrieve certificate for apache2 and postfix
1 certbot certonly --apache \
2 --rsa-key-size 4096 \
3 -m "hostmaster@rockstable.it" \
4 -d "mx1.rockstable.it" \
5 -d "mail.rockstable.it" \
6 --no-eff-email \
7 --agree-tos
8 Saving debug log to /var/log/letsencrypt/letsencrypt.log
9 Plugins selected: Authenticator apache, Installer apache
10 Obtaining a new certificate
11 Performing the following challenges:
12 http-01 challenge for mail.rockstable.it
13 http-01 challenge for mx1.rockstable.it
14 Waiting for verification...
15 Cleaning up challenges
16
17 IMPORTANT NOTES:
18 - Congratulations! Your certificate and chain have been saved at:
19 /etc/letsencrypt/live/mx1.rockstable.it/fullchain.pem
20 Your key file has been saved at:
21 /etc/letsencrypt/live/mx1.rockstable.it/privkey.pem
22 Your cert will expire on 2019-09-06. To obtain a new or tweaked
23 version of this certificate in the future, simply run certbot
24 again. To non-interactively renew *all* of your certificates, run
25 "certbot renew"
26 - If you like Certbot, please consider supporting our work by:
27
28 Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
29 Donating to EFF: https://eff.org/donate-le
Retrieve certificate for nginx
1 certbot certonly --nginx \
2 --rsa-key-size 4096 \
3 -m "hostmaster@rockstable.it" \
4 -d "git.rockstable.it" \
5 -d "www3.rockstable.it" \
6 --no-eff-email \
7 --agree-tos
8 Saving debug log to /var/log/letsencrypt/letsencrypt.log
9 Plugins selected: Authenticator nginx, Installer nginx
10 Obtaining a new certificate
11 Performing the following challenges:
12 http-01 challenge for git.rockstable.it
13 http-01 challenge for www3.rockstable.it
14 Waiting for verification...
15 Cleaning up challenges
16
17 IMPORTANT NOTES:
18 - Congratulations! Your certificate and chain have been saved at:
19 /etc/letsencrypt/live/git.rockstable.it/fullchain.pem
20 Your key file has been saved at:
21 /etc/letsencrypt/live/git.rockstable.it/privkey.pem
22 Your cert will expire on 2019-10-02. To obtain a new or tweaked
23 version of this certificate in the future, simply run certbot
24 again. To non-interactively renew *all* of your certificates, run
25 "certbot renew"
26 - Your account credentials have been saved in your Certbot
27 configuration directory at /etc/letsencrypt. You should make a
28 secure backup of this folder now. This configuration directory will
29 also contain certificates and private keys obtained by Certbot so
30 making regular backups of this folder is ideal.
31 - If you like Certbot, please consider supporting our work by:
32
33 Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
34 Donating to EFF: https://eff.org/donate-le
Some considerations concerning access
Change group of directories /etc/letsencrypt/{live,archive} to ssl-cert.
- Set "Setgid" bit and permit access to group.
Files in /etc/letsencrypt/$DOMAIN are only linked relatively to files in ../../archive/$DOMAIN. So it is sufficient to change permissions of /etc/letsencrypt/archive/$DOMAIN/*.
Change group of private keys in /etc/letsencrypt/archive to "ssl-cert" and permit read-access to group.
- Add all daemons that don't have a "primary/master"
process running under uid "0" to group ssl-cert to allow access to certificates.
1 adduser daemon-user ssl-cert
- For example it's unnecessary to add www-data, postfix and dovecot, since they have a "master" process running under "root" and "root" can do anything.
1 ps faux \ 2 | egrep -A 3 'root.*(/usr/sbin/apache2|/usr/lib/postfix/sbin/master \ 3 |/usr/sbin/dovecot)' \ 4 | grep -v grep 5 root 453 0.0 0.0 4308 3200 ? Ss Jun06 0:00 /usr/sbin/dovecot -F 6 dovecot 802 0.0 0.0 3952 1096 ? S Jun06 0:00 \_ dovecot/anvil 7 root 13273 0.0 0.0 4328 3176 ? S Jun07 0:00 \_ dovecot/log 8 root 13275 0.0 0.1 6188 4500 ? S Jun07 0:00 \_ dovecot/config 9 -- 10 root 508 0.0 0.2 15264 9980 ? Ss Jun06 0:06 /usr/sbin/apache2 -k start 11 www-data 22005 0.0 0.1 15044 4556 ? S 11:52 0:00 \_ /usr/sbin/apache2 -k start 12 www-data 22006 0.0 0.4 2310216 17016 ? Sl 11:52 0:00 \_ /usr/sbin/apache2 -k start 13 www-data 22007 0.0 0.4 2310284 18996 ? Sl 11:52 0:00 \_ /usr/sbin/apache2 -k start 14 -- 15 root 15775 0.0 0.1 43472 4372 ? Ss Jun07 0:00 /usr/lib/postfix/sbin/master -w 16 postfix 15777 0.0 0.2 43880 8636 ? S Jun07 0:00 \_ qmgr -l -t unix -u 17 postfix 15815 0.0 0.2 44116 9756 ? S Jun07 0:00 \_ tlsmgr -l -t unix -u -c 18 postfix 21276 0.0 0.1 43828 7424 ? S 11:38 0:00 \_ pickup -l -t unix -u -c
Now change paths to certificates and keys of applications to point to the newly acquired.
1 postfix/main.cf:smtpd_tls_cert_file = /etc/letsencrypt/live/mx1.rockstable.it/fullchain.pem
2 postfix/main.cf:smtpd_tls_key_file = /etc/letsencrypt/live/mx1.rockstable.it/privkey.pem
3 dovecot/conf.d/10-ssl.conf:ssl_cert = </etc/letsencrypt/live/mx1.rockstable.it/fullchain.pem
4 dovecot/conf.d/10-ssl.conf:ssl_key = </etc/letsencrypt/live/mx1.rockstable.it/privkey.pem
5 apache2/sites-available/roundcube_ssl.conf: SSLCertificateFile /etc/letsencrypt/live/mx1.rockstable.it/fullchain.pem
6 apache2/sites-available/roundcube_ssl.conf: SSLCertificateKeyFile /etc/letsencrypt/live/mx1.rockstable.it/privkey.pem
Restart 'em -> DONE.
Systemd certbot.timer is waiting - ready for renewal -> FINE.
1 systemctl status certbot.timer
2 ● certbot.timer - Run certbot twice daily
3 Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
4 Active: active (waiting) since Thu 2019-06-06 20:59:23 CEST; 1 day 15h ago
5 Trigger: Sat 2019-06-08 22:29:31 CEST; 9h left
6
7 Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
Renewal hooks
/usr/local/sbin/action_service.sh
1 #!/bin/bash
2 SELF="$(basename $0|cut -f1 -d.)"
3 ACTION="${SELF%%_*}"
4 SERVICE="${SELF##*_}"
5
6 VERBOSE=false
7
8 ### SANITIZE
9 if ! grep -qE -e "^(start|stop|restart|reload|status)" \
10 <<< "$ACTION"; then
11 "$VERBOSE" && echo "Error - action filtered: '$ACTION'"
12 exit 1
13 fi
14
15 if grep -q -e "^service$" \
16 <<< "$SERVICE"; then
17 "$VERBOSE" && echo "Error - no service specified: '$SERVICE'"
18 exit 2
19 fi
20
21 if [ "$ACTION" ] && [ "$SERVICE" ]; then
22 systemctl "$ACTION" "$SERVICE".service
23 "$VERBOSE" && systemctl status "$SERVICE".service
24 fi
Link hooks
Change domains of a certificate
Get the certificate names by issuing the following command:
1 certbot certificates
With the option --cert-name you can change a certificate's properties like domains or purposes. This command is special since it additionally requests wildcard-SANs, therefore --manual --preferred-challenges dns
1 certbot certonly \
2 --cert-name "jabber.rockstable.it" \
3 --manual \
4 --rsa-key-size 4096 \
5 --preferred-challenges dns \
6 -m "hostmaster@rockstable.it" \
7 -d "jabber.rockstable.it" \
8 -d "jabber1.rockstable.it" \
9 -d "*.jabber.rockstable.it" \
10 -d "*.jabber1.rockstable.it" \
11 --no-eff-email \
12 --agree-tos
13 Saving debug log to /var/log/letsencrypt/letsencrypt.log
14 Plugins selected: Authenticator manual, Installer None
15
16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17 You are updating certificate jabber.rockstable.it to include new domain(s):
18 + *.jabber.rockstable.it
19 + *.jabber1.rockstable.it
20
21 You are also removing previously included domain(s):
22 (None)
23
24 Did you intend to make this change?
25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
26 (U)pdate cert/(C)ancel: U
27 Renewing an existing certificate
28 Performing the following challenges:
29 dns-01 challenge for jabber.rockstable.it
30 dns-01 challenge for jabber1.rockstable.it
31 dns-01 challenge for jabber.rockstable.it
32 dns-01 challenge for jabber1.rockstable.it
33
34 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
35 NOTE: The IP of this machine will be publicly logged as having requested this
36 certificate. If you're running certbot in manual mode on a machine that is not
37 your server, please ensure you're okay with that.
38
39 Are you OK with your IP being logged?
40 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
41 (Y)es/(N)o: Y
42
43 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
44 Please deploy a DNS TXT record under the name
45 _acme-challenge.jabber.rockstable.it with the following value:
46
47 XTXyH8KOM5jSCaI6MCZSPRE3wP-8VU7KQ_bwcwZ1W4s
48
49 Before continuing, verify the record is deployed.
50 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
51 Press Enter to Continue
52
53 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
54 Please deploy a DNS TXT record under the name
55 _acme-challenge.jabber1.rockstable.it with the following value:
56
57 P_HWFlmOfqAXP98dRHibUu5KWuxMPYtY4cHfD3gd9QE
58
59 Before continuing, verify the record is deployed.
60 (This must be set up in addition to the previous challenges; do not remove,
61 replace, or undo the previous challenge tasks yet. Note that you might be
62 asked to create multiple distinct TXT records with the same name. This is
63 permitted by DNS standards.)
64
65 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
66 Press Enter to Continue
67
68 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
69 Please deploy a DNS TXT record under the name
70 _acme-challenge.jabber.rockstable.it with the following value:
71
72 ACprK1TjjqXru0Qxffm2QZKfT1X-RVx1E9SQVjQaDTg
73
74 Before continuing, verify the record is deployed.
75 (This must be set up in addition to the previous challenges; do not remove,
76 replace, or undo the previous challenge tasks yet. Note that you might be
77 asked to create multiple distinct TXT records with the same name. This is
78 permitted by DNS standards.)
79
80 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
81 Press Enter to Continue
82
83 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
84 Please deploy a DNS TXT record under the name
85 _acme-challenge.jabber1.rockstable.it with the following value:
86
87 xdz9ruXUFf5C6oDgtx1cF3H54N3sLhlJ-ZSVaf55saI
88
89 Before continuing, verify the record is deployed.
90 (This must be set up in addition to the previous challenges; do not remove,
91 replace, or undo the previous challenge tasks yet. Note that you might be
92 asked to create multiple distinct TXT records with the same name. This is
93 permitted by DNS standards.)
94
95 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
96 Press Enter to Continue
97 Waiting for verification...
98 Cleaning up challenges
99
100 IMPORTANT NOTES:
101 - Congratulations! Your certificate and chain have been saved at:
102 /etc/letsencrypt/live/jabber.rockstable.it/fullchain.pem
103 Your key file has been saved at:
104 /etc/letsencrypt/live/jabber.rockstable.it/privkey.pem
105 Your cert will expire on 2020-01-30. To obtain a new or tweaked
106 version of this certificate in the future, simply run certbot
107 again. To non-interactively renew *all* of your certificates, run
108 "certbot renew"
109 - If you like Certbot, please consider supporting our work by:
110
111 Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
112 Donating to EFF: https://eff.org/donate-le
DNS Certification Authority Authorization (CAA) Resource Record
DNS#DNS Certification Authority Authorization (CAA) Resource Record
Certbot on Debian Jessie
Certbot version in Debian Jessie is 0.10.2-1~bpo8+1 and is furthermore only available via backports. Whis version only supports ACMEv1 which got deprecaded in June 2020. Here's a way to get a modern certbot running.
certbot.eff.org: Debian Jessie Apache
If you've got a older version of certbot installed, please make a snapshot of the machine and a backup of the directories:
/etc/letsencrypt
/etc/cron.d/certbot
You can get the certbot packages for Debian Jessie Backports from the Debian archive, but the signature is expired. :-D
Wget the wrapper script/entry point that takes care of installation, updates and command invokation.
Install OS dependencies (python, virtualenv, compiler, headers …) and the certbot itself to /opt/eff.org/certbot/venv
1 certbot-auto --install-only
Try it
Remove the old certbot
1 apt remove certbot
Without systemd
Create a cron file triggerd twice a day /etc/cron.d/certbot-auto
1 # Eventually, this will be an opportunity to validate certificates
2 # haven't been revoked, etc. Renewal will only occur if expiration
3 # is within 30 days.
4 SHELL=/bin/sh
5 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
6
7 0 */12 * * * root test -x /usr/local/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot-auto -q renew
With systemd
Create a service file to be triggered by a timer.
/lib/systemd/system/certbot-auto.service
/lib/systemd/system/certbot-auto.timer
Reload systemd and enable timer