This is the fifth in a series of several posts on how to do way more than you really need to with Let’s Encrypt, certbot
, and a good server. I use all of these things regularly but I’ve never taken the time to take them apart, look at how they work, and spend hours in Google trying in vain to figure out how to put them back together. It was inspired by a disturbing trend of ISP privacy violations and the shocking regulatory capture of the US Federal Communications Commission.
This post wraps up (most of) the server config and puts it to use. It covers my approach to generating a cert, and provides some useful openssl
commands for verification. Most of the work here is simply shuffling files around.
- The Series so Far
- Code
- Note
- Prepare the Site
- Providing the User Challenge Access
- Include the Challenge Config
- Generate the Cert
- Wiring up the Cert
- Restart the Server
- Testing with OpenSSL
- Before You Go
- Legal Stuff
The Series so Far
- Overview
- First Steps
- Tuning with OpenSSL
- Useful Headers
- Generating and Testing a Cert
- Automating Renewals
Things that are still planned but probably not soon:
- Updating OpenSSL
- CSP Playground
- Vagrant Examples (don’t hold your breath)
Code
You can view the code related to this post under the post-05-your-first-cert
tag. If you’re curious, you can also check out my first draft.
Note
I’m testing out some new tooling. This will be wotw-highlighter
’s shakedown run. Let me know what you think about the syntax highlighting! I’m pretty excited because (no whammies) it should work well in AMP and normally.
I wrote the majority of the Apache examples with httpd
in mind, i.e. from a RHEL perspective. If you instead use apache2
, most of the stuff should still work, albeit maybe just a little bit different.
I’ll be using Mozilla’s config generator again for simplicity.
Prepare the Site
Let’s assume we start with examples like these:
Nginx
/etc/nginx/conf.d/example.com.conf | |
1 2 3 4 5 6 7 8 | server { |
Apache
/etc/httpd/vhosts.d/example.com.conf | |
1 2 3 4 5 | Listen 80 |
Providing the User Challenge Access
The reason we built the group and external folder previously was so that it would be easy to access later. Simply add the website user to the letsencrypt
group.
$ sudo usermod -G letsencrypt nginx |
Include the Challenge Config
We set up a challenge directory earlier
Nginx
/etc/nginx/conf.d/example.com.conf | |
1 2 3 4 5 6 7 8 9 10 | server { |
Apache
/etc/httpd/vhosts.d/example.com.conf | |
1 2 3 4 5 6 | Listen 80 |
Generate the Cert
With everything in place, we can finally create a cert. All of this manual configuration was done to give us some flexibility over the final product. We’re going to pass certbot
a ton of options to handle this
- We only want a cert, not an installation
- We’re going to agree to the TOS
- We’re going to register an email for important contacts
- We’re going to skip joining the EFF email list
- We’re going to specify the webroot (i.e. the directory to place the challenges)
- We’re going to specify all the domains AND subdomains on the cert
$ certbot \ |
Depending on how things ran, you might have an issue or two to fix. If it worked, you’ll get a confirmation notice.
You can verify the files were properly created by checking the Let’s Encrypt directory.
$ cat /etc/letsencrypt/live/example.com/README |
Wiring up the Cert
Nginx
We paused with a config like this:
/etc/nginx/conf.d/example.com.conf | |
1 2 3 4 5 6 7 8 9 10 | server { |
We can replace it with something like this:
/etc/nginx/conf.d/example.com.conf | |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | server { |
Apache
We paused with a config like this:
/etc/httpd/vhosts.d/example.com.conf | |
1 2 3 4 5 6 | Listen 80 |
We can replace it with something like this:
/etc/httpd/vhosts.d/example.com.conf | |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | Listen 80 |
As before, I haven’t tested the Apache config. At all. It might fail spectatularly.
Restart the Server
Nginx
$ sudo nginx -t && sudo systemctl restart nginx || echo "whoops" |
Apache
$ sudo httpd -t && sudo systemctl restart httpd || echo "whoops" |
Testing with OpenSSL
You can quickly verify your settings with openssl
. If there are any errors and you just restarted the server process, wait a few minutes and try again. The OCSP stapling especially takes more than a few seconds to propagate.
$ openssl s_client \ |
To make sure your content is coming through as intended, you can make actual HTTP request. I’ve illustrated below with my website. Note that there are two newlines to finish the request.
$ openssl s_client \ |
Along those lines, we can also test the redirect.
$ telnet wizardsoftheweb.pro 80 |
Before You Go
Let’s Encrypt is a fantastic service. If you like what they do, i.e. appreciate how accessible they’ve made secure web traffic, please donate. EFF’s certbot
is what powers my site (and basically anything I work on these days); consider buying them a beer (it’s really just a donate link but you catch my drift).
Legal Stuff
I’m still pretty new to the whole CYA legal thing. I really like everything I’ve covered here, and I’ve done my best to respect individual legal policies. If I screwed something up, please send me an email ASAP so I can fix it.
- The Electronic Frontier Foundation and
certbot
are covered by EFF’s generous copyright. As far as I know, it’s all under CC BY 3.0 US. I made a few minor tweaks to build the banner image but tried to respect the trademark. I don’t know who thecertbot
logo artist is but I really wish I did because it’s a fantastic piece of art. - Let’s Encrypt is trademarked. Its logo uses CC BY-NC 4.0. I made a few minor tweaks to build the banner image but tried to respect the trademark.
- I didn’t find anything definitive (other than EULAs) covering Nginx, which doesn’t mean it doesn’t exist. Assets were taken from its press page.
- Apache content was sourced from its press page. It provides a full trademark policy.