Free SSL for the mass \o/
Cryptography is important. I like to encrypt as much traffic and data as possible, not only the important stuff. Let’s Encrypt is a new project sponsored by multiple big companies and the Linux Foundation to provide free and automated SSL certificates for everyone. There are a few – not so awesome – solutions to get a certificate. The project ships a little daemon which can communicate with their API, but I don’t like that. Running a daemon is always a security challenge. It it possible to use the daemon as a client only, start it once, renew cert/get a new one, exit.
My fellow aibo blogged about this in January and created a nice systemd service + timer for that. You had to run the command from the service once via terminal because it asks you to accept their Terms of Service and to provide an email address.
I recently made a little adjustment together with aibo to also provide these to information, now you can completely automate the SSL setup. Here is out modified service file:
Setup:
[Unit] Description=renew certificates for %I [Service] Type=oneshot ExecStartPre=/usr/bin/mkdir -p /tmp/letsencrypt-auto ExecStart=/usr/bin/letsencrypt certonly \ --webroot \ --webroot-path=/tmp/letsencrypt-auto \ --renew-by-default \ --keep \ --agree-tos \ --email tim@bastelfreak.de \ -d %I ExecStartPost=/usr/bin/nginx -s reload [Install] WantedBy=multi-user.target
Save that as /etc/systemd/system/letsencrypt-renew@.service, also get the following timer for /etc/systemd/system/letsencrypt-renew@.timer:
[Unit] Description=run cert renew for %I every two month [Timer] OnCalendar=*-*/2-4 1:0:0 Persistent=true [Install] WantedBy=multi-user.target
You now want a SSL cert for myawesomestuff.example.com? Just do systemctl enable letsencrypt-renew@myawesomestuff.example.com.timer and wait until the timer starts. Or if you want a new cert now, just run systemctl start letsencrypt-renew@myawesomestuff.example.com.serice. You need more certificates? Just enable the timer again with a different domain name \o/
Webserver integration:
Here is a snippet from my nginx vhost:
upstream jenkins {
server 127.0.0.1:8090 fail_timeout=0;
}
server {
listen 80;
listen [::];
server_name ci.virtapi.org;
location /.well-known {
root /tmp/letsencrypt-auto;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name ci.virtapi.org;
ssl_certificate /etc/letsencrypt/live/ci.virtapi.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ci.virtapi.org/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect http:// https://;
proxy_pass http://jenkins;
}
}
Conclusion:
Let’s encrypt is really cool, systemd is also cool, the combination is even cooler. This brings us a lightweight solution to get as many certificates as we want.
Pingback: Automate let’s encrypt with systemd timer | the world needs more puppet!