Let’s Encrypt automation – The awesome way

Free SSL for the mass \o/
Cryptography is important. I like to encrypt as much traffic and data as possible, not only the important stuff. Let’s Encrypt is a new project sponsored by multiple big companies and the Linux Foundation to provide free and automated SSL certificates for everyone. There are a few – not so awesome – solutions to get a certificate. The project ships a little daemon which can communicate with their API, but I don’t like that. Running a daemon is always a security challenge. It it possible to use the daemon as a client only, start it once, renew cert/get a new one, exit.

My fellow aibo blogged about this in January and created a nice systemd service + timer for that. You had to run the command from the service once via terminal because it asks you to accept their Terms of Service and to provide an email address.

I recently made a little adjustment together with aibo to also provide these to information, now you can completely automate the SSL setup. Here is out modified service file:

Setup:

[Unit]
Description=renew certificates for %I

[Service]
Type=oneshot
ExecStartPre=/usr/bin/mkdir -p /tmp/letsencrypt-auto
ExecStart=/usr/bin/letsencrypt certonly \
  --webroot \
  --webroot-path=/tmp/letsencrypt-auto \
  --renew-by-default \
  --keep \
  --agree-tos \
  --email tim@bastelfreak.de \
  -d %I
ExecStartPost=/usr/bin/nginx -s reload

[Install]
WantedBy=multi-user.target

Save that as /etc/systemd/system/letsencrypt-renew@.service, also get the following timer for /etc/systemd/system/letsencrypt-renew@.timer:

[Unit]
Description=run cert renew for %I every two month

[Timer]
OnCalendar=*-*/2-4 1:0:0
Persistent=true

[Install]
WantedBy=multi-user.target

You now want a SSL cert for myawesomestuff.example.com? Just do systemctl enable letsencrypt-renew@myawesomestuff.example.com.timer and wait until the timer starts. Or if you want a new cert now, just run systemctl start letsencrypt-renew@myawesomestuff.example.com.serice. You need more certificates? Just enable the timer again with a different domain name \o/

Webserver integration:
Here is a snippet from my nginx vhost:

upstream jenkins {
  server 127.0.0.1:8090 fail_timeout=0;
}

server {
  listen 80;
  listen [::];
  server_name ci.virtapi.org;

  location /.well-known {
    root /tmp/letsencrypt-auto;
  }

  location / {
    return 301 https://$host$request_uri;
  }
}

server {
  listen 443 ssl;
  listen [::]:443 ssl;

  server_name ci.virtapi.org;

  ssl_certificate /etc/letsencrypt/live/ci.virtapi.org/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/ci.virtapi.org/privkey.pem;

  location / {
    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_redirect http:// https://;
    proxy_pass              http://jenkins;
  }
}

Conclusion:
ssl all the things
Let’s encrypt is really cool, systemd is also cool, the combination is even cooler. This brings us a lightweight solution to get as many certificates as we want.

This entry was posted in 30in30, General, Internet found pieces, IT-Security, Linux. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.