Open Source Free SSL

Hi everyone and happy 2016.

I thought it would be prudent to share this - OFN South Africa is now making use of this open source SSL signing service.

Lawrence

2 Likes

Happy 2016! It’s great to see Let’s Encrypt taking off and I anticipate we’ll switch to it when our current certificates expire.

2 Likes

Update August 2016: The letsencrypt client is now called certbot and is a bit easier to use. https://certbot.eff.org/

Since the letsencrypt client needs root privileges, I did all the following as root (sudo su -).

Install letsencrypt

mkdir -p /root/bin
cd /root/bin
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
/root/bin/certbot-auto

Configure Nginx

Edit your Nginx configuration, for example /etc/nginx/sites-available/openfoodnetwork. Add the following lines to your server config:

  # letsencrypt validation folder
  # Do not use a /tmp folder or other users can obtain certificates.
  location '/.well-known/acme-challenge' { 
  default_type "text/plain";
    root        /etc/letsencrypt/webrootauth;
  }

If you have an SSL certificate already and there is a redirect to https in your config, place these line after the redirect end the end of the ‘server’ block.

Then reload: service nginx reload

Obtain the first certificate

/opt/letsencrypt/letsencrypt-auto certonly -a webroot --webroot-path=/etc/letsencrypt/webrootauth --email admin@openfoodnetwork.example.org --text --agree-eula --agree-tos -d openfoodnetwork.example.org

Install first certificate

Edit your Nginx configuration again.

  ssl_certificate      /etc/letsencrypt/live/openfoodnetwork.example.org/fullchain.pem;
  ssl_certificate_key  /etc/letsencrypt/live/openfoodnetwork.example.org/privkey.pem;

After reloading service nginx reload you should have a valid SSL setup.

Automatic renewal

Test renewal with: /root/bin/certbot-auto renew --dry-run

If that is successful, you can configure cron to check for renewals every day:

echo '#!/bin/sh

/root/bin/certbot-auto renew \
 --quiet --no-self-upgrade \
 --post-hook "/usr/sbin/service nginx reload"
' > /etc/cron.daily/certbot

chmod +x /etc/cron.daily/certbot

You are done.

1 Like

Thanks @maikel for the detailed instructions - I agree it would be great to have these steps automated.

1 Like

Took me a minute to figure it out, as was used to using the ofn_deployment method of creating the files locally.

The --agree-eula flag doesn’t seem to be supported and more.

This is the command that ultimately worked:

/opt/letsencrypt/letsencrypt-auto certonly -a webroot --webroot-path=/etc/letsencrypt/webrootauth  \
--email admin@openfoodnetwork.example.org --text --agree-eula --agree-tos -d  \  
openfoodnetwork.example.org
certonly --webroot \ 
--webroot-path /var/www/example --renew-by-default --email \
example@example.org --text --agree-tos --agree-dev-preview -d \
site.example.org -d site.example.org

Got some Help from Let’s Encrypt Forum.

This is the configuration that worked for me:

server {
 listen 80;
 server_name  www.mydomain.org mydomain.org;
 
# Do not use a /tmp folder or other users can obtain certificates.
    location '/.well-known/acme-challenge' { 
    default_type "text/plain";
    root        /etc/letsencrypt/webrootauth;
   }
    
    location / {
    rewrite ^/(.*) https://mydomain.org/$1 permanent;
    }
}

@pmackay possibly if we alter the vhost.js file something along the lines of

server {
  listen 80;
{% if protocol == 'https' %}
  server_name  www.{{ domain }} {{ domain }};
  # letsencrypt validation folder
    # Do not use a /tmp folder or other users can obtain certificates.
    location '/.well-known/acme-challenge' { 
    default_type "text/plain";
    root        /etc/letsencrypt/webrootauth;
   }
{% else %}
  server_name  www.{{ domain }};
{% endif %}
   listen / {
            rewrite ^/(.*) {{ protocol }}://{{ domain }}/$1 permanent;
        }  
}

And nginx_unicorn.j2:

`server {
listen 80;
{% if protocol == ‘https’ %}
server_name www.{{ domain }} {{ domain }};

letsencrypt validation folder

# Do not use a /tmp folder or other users can obtain certificates.
location '/.well-known/acme-challenge' { 
    default_type "text/plain";
    root        /etc/letsencrypt/webrootauth;

}
{% else %}
server_name www.{{ domain }};
{% endif %}
listen / {
rewrite ^/(.*) https://staging.usfoodcoop.org/$1 permanent;
}
}`

removing the include {{ app }}_ssl; lines.

I’m still fairly unclear on all of the installation steps as far as Ansible goes in terms of when and how the nginx config files get written and maybe rewritten.

I see there’s an Ansible-galaxy role that installs acme-tiny.

Update:

Stack Overflow.

Have to add the string ssl after 443:

ssl_certificate      /etc/letsencrypt/live/mydomain.org/fullchain.pem;
ssl_certificate_key  /etc/letsencrypt/live/mydomain.org/privkey.pem;

server {
  listen 443 ssl;
 #etc...

@MikeiLL do you now have LetsEncrypt working on the US staging?

Oh yes. LetsEncrypt is happilly chugging along and I have documented the process. Also I noticed that it appears another Ansible/Vagrant library I’m working with for Wordpress sites is configuring LetsEncrypt as part of the Deploy. https://roots.io/trellis-adds-lets-encrypt-integration/ So there might be some good reference material there.

Cool! Just to clarify, is the documentation your posts above? Have you modified any ansible scripts to enable this, or simply edited files on the server?

Documentation is on my weblog, which includes the Let’s Encrypt process. If I had made any modifications to the Ansible scripts they are not PR-ready. This is a link to my nginx config file that seems to have worked: https://gist.github.com/MikeiLL/f7fdceb1a2c986bbccc1e016e93d2727

Great! FYI, I’m deep in the middle of more improvements to the ansible scripts to automate letsencrypt and a few other bits. Will post branch when I’ve pushed changes.

https://staging2.openfoodnetwork.org.uk/ has just been built to do that in completely automated way. So making some progress.

1 Like