Sysadmin/Letsencrypt

Description

Let’s Encrypt (LE) is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is sponsored by the biggest Internet companies and browsers: Google (Chrome), Mozilla (Firefox), and so on. At the time of writing, LE is in public beta.

Currently, we have LE installed on Machine/freedom and Machine/sunjammer.

Installation

We have chosen /opt/letsencrypt as the base or home directory for the LE client. The LE Client is a fully-featured, extensible client for the Let’s Encrypt CA (or any other CA that speaks the ACME protocol) that can automate the tasks of obtaining certificates and configuring webservers to use them.

Because there is no a LE package for Ubuntu yet, we must clone the letsencrypt-auto wrapper script. This script obtains some dependencies from the OS (apt-get) and puts others in a python virtual environment (Pip). The only requirement is Python 2.6 or Python 2.7.

git clone https://github.com/letsencrypt/letsencrypt

This client requires root access in order to write to /etc/letsencrypt, /var/log/letsencrypt, /var/lib/letsencrypt; to bind to ports 80 and 443 and to read and modify webserver configurations (for apache or nginx plugins).

Getting a certificate

The Let’s Encrypt client supports a number of different plugins that can be used to obtain and/or install certificates. For the moment, we decided to get the certificates manually and apply the changes to the the web server with a script. We can use the Nginx plugin to automatically obtain and install the certificate but this plugin is still experimental.

In order to automate the process (of getting the cert), we create a config file for each domain inside the folder /etc/letsencrypt/config. For example, the config file for www.slo is:

# We use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096

email = sysadmin@sugarlabs.org
domains = sugarlabs.org, www.sugarlabs.org

authenticator = webroot

# This is the webroot directory of your domain in which
# letsencrypt will write a hash in /.well-known/acme-challenge directory.
webroot-path = /srv/www-sugarlabs/

The LE validation server must have access to the domain (port 80) of which we want to get the certificate. In order to validate that the server control the domain, the LE CA will issue one or more sets of challenges. For example, provisioning an HTTP resource under a well-known URI. Usually, the resource requested will be located at /.well-known/acme-challenge under the webroot folder of the requested site.

In Nginx, we can define how to process a specific request with the location directive. Be sure to add the following lines to the server block inside Nginx:

location '/.well-known/acme-challenge' {
        root /srv/www-sugarlabs/;
    }

To get the certificate using the previous config file, we must execute the following command:

/opt/letsencrypt/letsencrypt-auto certonly --config /etc/letsencrypt/config/sugarlabs.org.ini 

All generated keys and issued certificates can be found in /etc/letsencrypt/live/sugarlabs.org/.

The same process can be applied for getting certs for other domains: (1) create a subdomain.domain.tld config file, (2) define the well-know resource and, (3) request the certificate.

NOTE: We had to comment out our CAA records in the DNS in order to obtain the certificates. CAA records forbids LE to issue certificates for a domain.

Renewing a Certificate

Let’s Encrypt CA issues short lived certificates (90 days). In order to automate the renewal, we everyday automatically execute a script which checks the expiration day for every certificate and requests the renewal 15 days before the expiration day (this value is tweakable). After renewing the cert, the script reload the Nginx config.

#!/bin/bash

LE_CERTS='/etc/letsencrypt/live'
LE_CONFIG_PATH='/etc/letsencrypt/config'
LE_BIN='/opt/letsencrypt/letsencrypt-auto'
WEB_SERVER='nginx'
EXP_LIMIT=15

for config in $(ls $LE_CONFIG_PATH/*.ini); do
   domain=$(basename "$config" .ini)
   DATE_NOW=$(date -d "now" +%s)
   EXP_DATE=$(date -d "`openssl x509 -in $LE_CERTS/$domain/cert.pem -text -noout | grep "Not After" | cut -c 25-`" +%s)
   EXP_DAYS=$(( (EXP_DATE - $DATE_NOW) / 86400 ))
   if (( $EXP_DAYS < $EXP_LIMIT )) ; then
        echo "The certificate for $domain is about to expire soon. Starting renewal..."
        $LE_BIN certonly --renew-by-default --config $config
        echo "Reloading $WEB_SERVER"
        /usr/sbin/service $WEB_SERVER reload
        echo "Renewal process finished for $domain"
   else
        echo "The certificate for $domain is up to date, no need for renewal ($EXP_DAYS days left for renewal)."
   fi
done

The script is named renew-letsencrypt.sh and is located in /usr/local/bin

Sites

The sites currently with a LE SSL certificate are:

bugs.sugarlabs.org
bundlebin.sugarlabs.org
developer.sugarlabs.org
freedom.sugarlabs.org
help.sugarlabs.org
hook.sugarlabs.org
nagios.sugarlabs.org
socialhelp.sugarlabs.org
sugarlabs.org
turtleartday.org
use-socialhelp.sugarlabs.org
vote.sugarlabs.org
download.sugarlabs.org
ldap.sugarlabs.org
lists.sugarlabs.org
munin.sugarlabs.org
musicblocks.sugarlabs.org
people.sugarlabs.org
static.sugarlabs.org
sunjammer.sugarlabs.org
turtle.sugarlabs.org
wiki.sugarlabs.org
weblate.sugarlabs.org

Contact

  • Samuel, scg on #sugar on Freenode.