Using letsencrypt.org

Thu 24 December 2015

Everyone is doing their blog article about Let's Encrypt, here's mine:

ACME Protocol

Let's encrypt uses the ACME protocol (Automatic Certificate Management Environment) which has been designed by Internet Security Research Group for their Let's Encrypt service.

It's a protocol that removes any humain interaction in the signing process (which is the reason why SSL certificates are expensives today).

Nowadays, you have to prove that you own the domain you request a certificate for by using at least one of the following verification. Depending of the providers it can be:

  • receive an email on one domain's email address
  • create a TXT entry on your DNS
  • put an HTML page on the HTTP server of your domain with the provider's content

These verifications can take hours, days and require an human interaction at the end which leads to get a certificate in 24 or 48 hours.

With the ACME protocol, it's easier. To prove that you own the domain, you need to setup a HTTP server where the domain points to. It proves that you're in control of the HTTP server which will use the requested SSL certificate.

The system then uses a JSON webservice validation flow with some public key signing.

Requesting your certificate

So basically, the first thing to understand is that you're not forced to use the Let's encrypt client to generate your certificates, you can develop yours or use another one.

A simple GitHub search is already showing at least 45 repositories of ACME clients

One of the cons of the Let's Encrypt client is that it automatises the certificate setup by tweaking your webserver's configuration. It's working very well with apache2 but the NGiNX support sucks.

I recommend using the standalone way.

To make this work with a running NGiNX server, you have the accept the ACME requests

cat << EOF > /etc/nginx/snippets/letsencrypt-acme-challenge.conf
# Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)
# We use ^~ here, so that we don't check other regexes (for speed-up). We actually MUST cancel
# other regex checks, because in our other config files have regex rule that denies access to files with dotted names.
location ~ /.well-known/acme-challenge/ {

    # Set correct content type. According to this:
    # https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29
    # Current specification requires "text/plain" or no content header at all.
    # It seems that "text/plain" is a safe option.
    default_type "text/plain";

    # This directory must be the same as in /etc/letsencrypt/cli.ini
    # as "webroot-path" parameter. Also don't forget to set "authenticator" parameter
    # there to "webroot".
    # Do NOT use alias, use root! Target directory is located here:
    # /var/www/common/letsencrypt/.well-known/acme-challenge/
    root         /var/www/letsencrypt;
}

# Hide /acme-challenge subdirectory and return 404 on all requests.
# It is somewhat more secure than letting Nginx return 403.
# Ending slash is important!
location = /.well-known/acme-challenge/ {
    return 404;
}
EOF

Then add it to your domain's configuration file

# diff -u solvik.fr.before solvik.fr
--- solvik.fr.before                      2015-12-24 12:46:41.049661337 +0100
+++ solvik.fr.new                         2015-12-24 12:46:42.109679726 +0100
@@ -1,9 +1,12 @@
 server {
     listen 80;
     server_name solvik.fr www.solvik.fr;

     root /home/solvik/blog/output;
     index index.html index.php;

+    include "/etc/nginx/snippets/letsencrypt-acme-challenge.conf";
+
# /etc/init.d/nginx reload

It'll accept the ACME protocol request on the virtualhost of the domain name you're asking a certificate for.

Now, Let's request it.

mkdir -p /var/www/letsencrypt
git clone https://github.com/letsencrypt/letsencrypt.git
cd letsencrypt
./letsencrypt-auto certonly --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path=/var/www/letsencrypt/ --agree-dev-preview -d solvik.fr -d blog.solvik.fr

The successfull output looks like:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/solvik.fr/fullchain.pem. Your cert will
   expire on 2016-03-23. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

#

As you can see, the Let's Encrypt client stores the certificates in /etc/letsencrypt/ To use it

Don't forget to generate a strong diffie-helman key

openssl dhparam -out /etc/nginx/dhparam.pem 2048

I then used the Mozilla SSL Configuration Generator:

    ssl_certificate /etc/letsencrypt/live/solvik.fr/fullchain.pem;;
    ssl_certificate_key /etc/letsencrypt/live/solvik.fr/privkey.pem;;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/nginx/dhparam.pem;

    # modern configuration. tweak to your needs.
    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
    ssl_prefer_server_ciphers on;


    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/letsencrypt/live/solvik.fr/chain.pem;

Renewing your certificate

To renew it, the command would be the following:

letsencrypt-auto --renew certonly --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path=/var/www/letsencrypt/ --agree-dev-preview -d solvik.fr -d www.solvik.fr -d blog.solvik.fr

Category: System Tagged: ssl letsencrypt


Migrating VM between ESXi hosts

Fri 23 January 2015

Recently I needed to migrate some VMs between ESXi hosts.

A few Google searches gave me the solution, but some of it were incomplete as I ran into some errors.

    $ ovftool -ds=datastore1 vi://root@esxi-old.mydomain.com/ubuntu-14.04 vi://root@esxi-new.online.net/

The few errors I ran ...

Category: System Tagged: esxi migration ovf tools

Read More

Salt

Thu 24 April 2014

Since a few months, I've been inclined to test and use Salt Stack. I manage a lot a heterogeneous plateforms, but each one are composed of similar machines who does the same stuff.

For example, once three months, I'm being asked to install a new packages, configure a ...

Category: System Tagged: salt python deployment

Read More

How-To Debootstrap

Wed 23 April 2014

For my infrastructure purposes I often need to install as fast as possible. Most of my servers comes with 4 disks and one or more RAID card.

I usually don't trust the RAID cards, so I always create a raid0 / disk in order to use every logical volume like ...

Category: System Tagged: linux debootstrap ubuntu gpt

Read More

ZFSonLinux

Fri 18 April 2014

At Online, we've been trying ZFS On Linux on a few services.

Here's a small how-to (and also a reminder) on how to install it and manage it:

Install

    $ apt-add-repository --yes ppa:zfs-native/stable
    $ apt-get update && apt-get install ubuntu-zfs

ZFS comes with ...

Category: System Tagged: zfs linux zfsonlinux

Read More

Symfony performances

Fri 18 April 2014

Since a few weeks, we've stumble upon a few performances problem on our Symfony2 backend. For the record, it's a 50k line codes, lots of feature and custom bundles.

autoloader

On the first request, Symfony PHP's code must discover all the classes of your code. It does ...

Category: System Tagged: symfony2 performances fabric

Read More
Page 1 of 1