Automated Free SSL certificate with Let's encrypt

Overview

Letsencrypt.com provide Free SSL certificates supported by nearly all modern browsers (Certificate Compatibility). Let's Encrypt certificates are issued for a period of 90 days (Why ninety-day lifetimes for certificates?) so automation is highly valuable.

Domain Validation

Let's Encrypt CA checks the domain name with a challenge that proves that the domain name requested is controlled by the petitioner.
Challenge can be checked by:

• Provisioning a DNS record on requested domain
• Provisioning an HTTP resource under a well-known URI on requested domain

We will use DNS challenge.

Software Installation

Let's Encrypt recommends to use certbot ACME client, but it does not support automated DNS challenge. So we use to an other client acme.sh written on shell script. The bash script contains an installer.
We install git

rigel:~# apt install git
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
 git-man liberror-perl rsync
Suggested packages:
 git-daemon-run | git-daemon-sysvinit git-doc git-el git-email git-gui gitk gitweb git-arch git-cvs git-mediawiki git-svn
The following NEW packages will be installed:
 git git-man liberror-perl rsync
0 upgraded, 4 newly installed, 0 to remove and 3 not upgraded.
Need to get 4,223 kB/4,243 kB of archives.
After this operation, 26.3 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
...
Processing triggers for systemd (229-4ubuntu21.2) ...
Processing triggers for ureadahead (0.100.0-19) ...

We download and install the software

rigel:~# cd /tmp
rigel:/tmp# git clone https://github.com/Neilpang/acme.sh.git
Cloning into 'acme.sh'...
remote: Counting objects: 6801, done.
remote: Compressing objects: 100% (23/23), done.
remote: Total 6801 (delta 25), reused 38 (delta 22), pack-reused 6756
Receiving objects: 100% (6801/6801), 2.70 MiB | 4.91 MiB/s, done.
Resolving deltas: 100% (3833/3833), done.
Checking connectivity... done.
rigel:/tmp# cd acme.sh/
rigel:/tmp/acme.sh# ./acme.sh --install --home /etc/luniel/acme.sh --config-home /etc/luniel/acme.sh
[Fri Jul 20 23:20:51 CEST 2018] It is recommended to install socat first.
[Fri Jul 20 23:20:51 CEST 2018] We use socat for standalone server if you use standalone mode.
[Fri Jul 20 23:20:51 CEST 2018] If you don't use standalone mode, just ignore this warning.
[Fri Jul 20 23:20:51 CEST 2018] Installing to /etc/luniel/acme.sh
[Fri Jul 20 23:20:51 CEST 2018] Installed to /etc/luniel/acme.sh/acme.sh
[Fri Jul 20 23:20:51 CEST 2018] Installing alias to '/root/.bashrc'
[Fri Jul 20 23:20:51 CEST 2018] OK, Close and reopen your terminal to start using acme.sh
[Fri Jul 20 23:20:51 CEST 2018] Installing cron job
0 0 * * * /etc/luniel/acme.sh/acme.sh --cron --home "/etc/luniel/acme.sh" > /dev/null
[Fri Jul 20 23:20:51 CEST 2018] Good, bash is found, so change the shebang to use bash as preferred.
[Fri Jul 20 23:20:51 CEST 2018] OK

DNS API

On the folder dnsapi, around 50 dns handlers are available to be used with different DNS providers. In our case, bind is installed locally so we use nsupdate handler. We adjust dns_nsupdate.sh to dns_nsupdaterigel.sh with our needs.

Certificate issuance

We force some parameters

./acme.sh --issue --keylength 4096 --dnssleep 30 -d rigel.oamis.net --dns dns_nsupdaterigel -d simao.es -d www.simao.es -d luniel.com -d www.luniel.com -d wiki.luniel.com -d svn.luniel.com -d git.luniel.com --renew-hook "/etc/luniel/deploycertificate.sh" --log  "/var/log/certificates.log"

• keylength 4096:Force public RSA key to 4096 bits instead of 2048 (Let's encrypt do not admit more than 4096bits)
• dnssleep 30: We wait 30 seconds to be sure DNS information is propagated from master to slaves DNS servers
• dns dns_nsupdaterigel: API launched to update DNS server with challenge value (See DNS API section)
• renew-hook: Script launched when certificates are renewed. We use this script to deploy the new version of the certificate
• log: track the log of the application.
  

With wildcards:

 ./acme.sh --issue --keylength 4096 --dnssleep 30 -d rigel.oamis.net --dns dns_nsupdaterigel -d simao.es -d *.simao.es -d simao.us -d *.simao.us -d simao.be -d *.simao.be -d luniel.com -d *.luniel.com -d 3d-ms.com -d *.3d-ms.com -d 3d-ms.be -d *.3d-ms.be -d oamis.net -d *.oamis.net -d mundosinfin.com -d *.mundosinfin.com -d *.michaelsimao.net -d michaelsimao.net --renew-hook "/etc/luniel/deploycertificate.sh" --log  "/var/log/certificates.log"

References

• Let’s Encrypt is a free, automated, and open Certificate Authority.
• How to use Let's Encrypt DNS challenge validation?
• How do you setup a DNS server in order to be able to add records on-the-fly?
• Hello is it possible to generate certificate wtih 4096 bit and sha256?
• How do you score A+ with 100 on all categories on SSL Labs test with Let's Encrypt and Nginx?
• A pure Unix shell script implementing ACME client protocol https://acme.sh
• Certificate Authority Authorization (CAA)
• DNS Certification Authority Authorization (CAA) Resource Record
• ACME Client Implementations
• Acme.sh supports ACME v2 wildcard now

Daniel Simao (talk) 15:19, 20 July 2018 (EDT)