A Few Notes on LetsEncrypt
I’d originally planned to write a post about configuring Burp Collaborator with LetsEncrypt, but after re-reading an article I’d used to do part of the provisioning, I couldn’t find much else to add.
One area I did want to dig into a bit more was LetsEncrypt itself, specifically the DNS plugins.
Part of the LetsEncrypt enrollment process is proving you own the domain you’re requesting a certificate for. There are a few ways of doing this, but I’m most interested in the DNS route.
certbot with the
certonly flag, you’ll be provided with a special TXT record. You then add this record to the domain for which you’re requesting the certificate, proving that you own the domain, and your certificate is issued.
I’m not a big fan of manual processes so I went poking around the LetsEncrypt documentation to figure out how I could automate this. Turns out there are DNS plugins available to automate the addition, validation, and removal of that TXT challenge.
An added benefit to this technique is I don’t need to make any modifications to the firewall or the software that may already be using ports required for verification.
I’m going to focus on Cloudflare, but the process should be similar for the other providers.
certbot on Ubuntu 18.04:
# Install certbot sudo apt-get update sudo apt-get install software-properties-common -y sudo add-apt-repository ppa:certbot/certbot -y sudo apt-get update sudo apt-get install certbot -y # Install cloudflare plugin sudo apt install python3-pip -y sudo pip3 install certbot-dns-cloudflare
Next, create your
# Cloudflare API credentials used by Certbot dns_cloudflare_email = [email protected] dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567
Ensure the correct permissions are set:
chmod 0600 cloudflare.ini
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials cloudflare.ini -d *.example.com --agree-tos -m [email protected] -n --server https://acme-v02.api.letsencrypt.org/directory
From the above:
certonly- We’re not using “automatic” installation.
--dns-cloudflare- Use the Cloudflare DNS plugin.
--dns-cloudflare-credentials- Path to our credential file. Permissions must be
-d *.example.com- We want a wildcard certificate for
--agree-tos- Don’t prompt for ToS.
-m [email protected]- Email address for urgent notifications.
-n- Run in non-interactive mode.
--server https://acme-v02.api.letsencrypt.org/directory- Required for wildcard certificates.
If all goes well, you should see something like this:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator dns-cloudflare, Installer None Obtaining a new certificate Performing the following challenges: dns-01 challenge for example.com Waiting 10 seconds for DNS changes to propagate Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2019-01-19. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
To ensure we’ve got everything set up correctly:
sudo certbot renew --dry-run
Note that you’ll need to leave your
cloudflare.ini file on the server for auto-renew to work.
I spent a bit of time researching how updates work but I’m pretty sure that was for naught. Reviewing the install process I found the following:
Created symlink /etc/systemd/system/timers.target.wants/certbot.timer → /lib/systemd/system/certbot.timer. certbot.service is a disabled or a static unit, not starting it.
Those files, respectively, contain the following:
# certbot.timer [Unit] Description=Run certbot twice daily [Timer] OnCalendar=*-*-* 00,12:00:00 RandomizedDelaySec=43200 Persistent=true [Install] WantedBy=timers.target # certbot.service [Unit] Description=Certbot Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html Documentation=https://letsencrypt.readthedocs.io/en/latest/ [Service] Type=oneshot ExecStart=/usr/bin/certbot -q renew PrivateTmp=true
I’m not super familiar with systemd so I did a bit more digging:
And there you have it!