January 29, 2018

Using Let's Encrypt certificates

The last few years security has become a increasingly important issue on the internet. Any developer and probably a lot of users by now know that a website running plain http is not secure and simply not acceptable anymore.

Using Let's Encrypt certificates

The last few years security has become a increasingly important issue on the internet. Any developer and probably a lot of users by now know that a website running plain http is not secure and simply not acceptable anymore.

The combination of ssl certificates and the http protocol form https. Where in the old days one would have to buy certificates and spend money on them that is not necessary anymore. For nowadays we have Let's Encrypt. A service with the ambition to encrypt all of the internet, one provided by the Internet Security Research Group.

Let's Encrypt has a client called certbot to generate a ssl certificate using a simple challenge which verifies your request.
You can use it to just generate the certificates or to even automatically install the configuration into your vhost files if needed.

One thing to keep in mind here is that the certificates are only valid for 3 months. But luckily they've made that also very easy to manage with a command to simply renew the certificates. Simply put the file in a cron job et voilĂ .

So how does this work?

For example, you have a domain name and a website that is running on that domain.
The following example is based on ubuntu, but it can work on basically any system.

Simply using the terminal head over to your server and install certbot.

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot 

Now you've got certbot installed. To get your certificate for your domain use:

sudo certbot certonly --webroot -w /var/www/html -d mydomain.com -d www.mydomain.com

This command uses the certbot webroot plugin. You tell certbot what the public directory is. In the above example /var/www/html. But this might be different in your case.

Secondly you tell which domain names you want certificates for. Above we're asking for mydomain.com and www.mydomain.com.
If both domains are routed to the same server and end up in /var/www/html then you'll receive the certificate for both.

Note: The webroot plugin assumes you already have a webserver running. If this is not the case certbot also has a standalone server plugin. If you want to use this, the command is like this.

sudo certbot certonly --standalone -d mydomain.com -d www.mydomain.com

So you see, the standalone plugin as parameter and no webroot parameter.

If everything goes as planned, you'll find your certificates in /etc/letsencrypt/

Renewing the certificates

Like mentioned above, the certificates generated are valid for only 3 months. You can automatically renew them. Simply head over to the directory the certificates are stored, /etc/letsencrypt

To see what would happen when renewing:

sudo certbot renew --dry-run

If you like the result, simply put the command without the --dry-run parameter in a cron job and run it every 3 months. And you'll have a secure website forever.

Certbot on Docker

To use certbot even easier you can use the Docker image certbot has made.
With it you can use certbot to generate your certificates without even having to install it. Because like a lot things by now, all you need in this case is Docker...

All the commands are still the same because you're still using certbot the same way you would otherwise.

An example:
Say on your server your public webroot to the website is /home/myuser/websites/mydomain. This directory is where certbot will place the challenge and should therefore be available in the docker container.

So imagine the command would normally be:

certbot certonly --webroot /home/myuser/websites/mydomain -d mydomain.com

The Docker command is almost the same with difference of course that you'll have to run it through Docker and map the directories you need.

docker run -it -v /home/myuser/websites/mydomain:/var/www/html -v $PWD/certs:/etc/letsencrypt/ certbot/certbot certonly --webroot /var/www/html -d mydomain.com

What did we just do? First we run docker in interactive mode and allocate a tty. docker run -it
Next we map our local webroot /home/myuser/websites/mydomain to /var/www/html in the docker container using -v /home/myuser/websites/mydomain:/var/www/html
We also map the directory letsencrypt uses to store the certificates so we can actually use them. $PWD/certs:/etc/letsencrypt/ This maps the current directory you're in and then the certs diretory below it. So this is where your certificates will be placed.

After that the certbot has what it needs to create a certificate. So you just run certbot/certbot certonly --webroot /var/www/html -d mydomain.com
Note that we tell it that the webroot is /var/www/html because we mapped our local webroot to that directory in the Docker container.

And after that the directory will be created with your certificates and you're good to go.
You can find your certificates and it's keys in certs/live/mydomain.com/


To renew using Docker it's the same trick. Simply map the same directory again and run the renew command as you would otherwise.

docker run -it -v /home/myuser/websites/mydomain:/var/www/html -v $PWD/certs:/etc/letsencrypt/ certbot/certbot renew


Creating certificates is now no longer a discussion whether or not you're willing to pay for it, but rather if you're willing to run a command on the server.
So no developer will ever have an excuse not to secure his or her websites and applications.
Certbot provides an easy way to generate and renew the certificates. And even add them to your vhost configuration if you so desire.

The ambition of Let's Encrypt is to encrypt all of the web. It is quite ambitious but the service they're providing makes very easy, so maybe someday in the future their ambition will be a reality.