Let's Encrypt

From Indie IT Wiki
Jump to: navigation, search

Introduction

Lets Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG).

LetsEncrypt have grown to be the third largest Certificate Authority in the world. They currently have 1.93 million unexpired certificates in the wild, making them one of the largest Certificate Authorities in the world.

https://letsencrypt.org

https://letsencrypt.org/getting-started/

Installation of Certbot

https://certbot.eff.org/#ubuntutrusty-other

sudo -i
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get check
apt-get install certbot

Generate Certificate

certbot certonly --standalone --email me@example.com --agree-tos -d www.example.com
cd /etc/letsencrypt/archive/www.example.com/
cat privkey1.pem cert1.pem > ssl1.pem
cd /etc/letsencrypt/live/www.example.com/
ln -s ../../archive/www.example.com/ssl1.pem ssl.pem

Check Certificate

certbot certificates

Change Registered Email Address

certbot register --email user@example.com --update-registration

LetsEncrypt with Certbot and AWS Route 53 DNS Validation

https://jloh.co/posts/certbot-route53-dns-validation/

LetsEncrypt with NGINX

sudo -i
apt-get install python-certbot-nginx
certbot --nginx --email me@domain.co.uk --agree-tos -d www.domain.co.uk -d domain.co.uk
less /etc/nginx/sites-enabled/www.domain.co.uk
systemctl reload nginx

LetsEncrypt with IIS

sudo -i
openssl pkcs12 -export -out /tmp/certificate.pfx -inkey /etc/letsencrypt/live/domain.uk.com/privkey.pem -in /etc/letsencrypt/live/domain.uk.com/cert.pem -certfile /etc/letsencrypt/live/domain.uk.com/chain.pem

LetsEncrypt with Dovecot

http://wiki.indie-it.com/wiki/Dovecot#Let.27s_Encrypt_SSL_Certificate_and_Dovecot

LetsEncrypt with Postfix

smtpd_tls_cert_file = /etc/letsencrypt/live/mail.domain.co.uk/cert.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.domain.co.uk/privkey.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/mail.domain.co.uk/chain.pem

LetsEncrypt with Webmin

sudo -i
cd /etc/letsencrypt/live/www.domain.uk.com
cat privkey.pem cert.pem > ssl.pem
nano /etc/webmin/miniserv.conf
certfile=/etc/letsencrypt/live/www.domain.uk.com/cert.pem
keyfile=/etc/letsencrypt/live/www.domain.uk.com/privkey.pem
extracas=/etc/letsencrypt/live/www.domain.uk.com/fullchain.pem
service webmin restart

LetsEncrypt with Lighttpd

Initial Setup

sudo -i
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
cd /opt/letsencrypt
./letsencrypt-auto certonly --webroot -w /var/www/domain.uk.com/html/ -d domain.uk.com -d www.domain.uk.com
cd /etc/letsencrypt/live/www.domain.uk.com
cat privkey.pem cert.pem > ssl.pem
nano /etc/lighttpd/domain.uk.com.conf
$HTTP["host"] =~ "www\.domain\.uk\.com$" {
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/letsencrypt/live/domain.uk.com/ssl.pem"
    ssl.ca-file = "/etc/letsencrypt/live/domain.uk.com/fullchain.pem"
    ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
    ssl.honor-cipher-order = "enable"
    ssl.use-compression = "disable"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
    ssl.ec-curve = "secp384r1"
  }
server.document-root = "/var/www/domain.uk.com/html"
server.errorlog = "/var/www/domain.uk.com/logs/error.log"
accesslog.filename = "/var/www/domain.uk.com/logs/access.log"
}
service lighttpd reload

Automated Renewal

sudo -i
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
touch /etc/cron.weekly/letsencrypt
chmod +x /etc/cron.weekly/letsencrypt
nano /etc/cron.weekly/letsencrypt

# Automatically Renew Letsencrypt Certs
/opt/letsencrypt/letsencrypt-auto renew --webroot --webroot-path /var/www/domain.uk.com/html/
# Rebuild the cert
cd /etc/letsencrypt/live/domain.uk.com/
cat privkey.pem cert.pem > ssl.pem
# Reload lighttpd
/etc/init.d/lighttpd reload

Complete Example of Cron Weekly

/opt/letsencrypt/letsencrypt-auto renew --pre-hook "service apache2 stop" --post-hook "service apache2 start"

root@server1.domain.co.uk ~ $ (screen) /etc/cron.weekly/letsencrypt
Upgrading certbot-auto 0.15.0 to 0.16.0...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/webmail.domain.co.uk.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Running pre-hook command: service apache2 stop
Output from service:
 * Stopping web server apache2
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for webmail.domain.co.uk
tls-sni-01 challenge for server1.domain.co.uk
Waiting for verification...
Cleaning up challenges
-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/webmail.domain.co.uk/fullchain.pem
-------------------------------------------------------------------------------
Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/webmail.domain.co.uk/fullchain.pem (success)
Running post-hook command: service apache2 start
Output from service:
 * Starting web server apache2

Thanks - https://freek.ws/2017/03/19/setting-up-lets-encrypt-with-lighttpd-and-automatic-certificate-renewal/

Thanks - https://nwgat.ninja/setting-up-letsencrypt-with-lighttpd/

Test Certificates

SMTP / TLS

openssl s_client -CAfile /etc/letsencrypt/live/mail.example.co.uk/fullchain.pem -connect localhost:25 -starttls smtp

IMAPS

openssl s_client -CAfile /etc/letsencrypt/live/mail.example.co.uk/fullchain.pem -connect localhost:993 -quiet

POPS

openssl s_client -CAfile /etc/letsencrypt/live/mail.example.co.uk/fullchain.pem -connect localhost:995 -quiet