A Few Notes on LetsEncrypt

October 21, 2018

I’d originally planned to write a post about configuring Burp Collaborator with LetsEncrypt, but after re-reading an article I’d used to do part of the provisioning, I couldn’t find much else to add.

One area I did want to dig into a bit more was LetsEncrypt itself, specifically the DNS plugins.

DNS Plugins

Part of the LetsEncrypt enrollment process is proving you own the domain you’re requesting a certificate for. There are a few ways of doing this, but I’m most interested in the DNS route.

When running certbot with the certonly flag, you’ll be provided with a special TXT record. You then add this record to the domain for which you’re requesting the certificate, proving that you own the domain, and your certificate is issued.

I’m not a big fan of manual processes so I went poking around the LetsEncrypt documentation to figure out how I could automate this. Turns out there are DNS plugins available to automate the addition, validation, and removal of that TXT challenge.

An added benefit to this technique is I don’t need to make any modifications to the firewall or the software that may already be using ports required for verification.

I’m going to focus on Cloudflare, but the process should be similar for the other providers.

Installation

To install certbot on Ubuntu 18.04:

# Install certbot
sudo apt-get update
sudo apt-get install software-properties-common -y
sudo add-apt-repository ppa:certbot/certbot -y
sudo apt-get update
sudo apt-get install certbot -y

# Install cloudflare plugin
sudo apt install python3-pip -y
sudo pip3 install certbot-dns-cloudflare

Next, create your cloudflare.ini file:

# Cloudflare API credentials used by Certbot
dns_cloudflare_email = [email protected]
dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567

Ensure the correct permissions are set:

chmod 0600 cloudflare.ini

Configuration

Finally, unleash certbot:

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials cloudflare.ini -d *.example.com --agree-tos -m [email protected] -n --server https://acme-v02.api.letsencrypt.org/directory

From the above:

If all goes well, you should see something like this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2019-01-19. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Testing

To ensure we’ve got everything set up correctly:

sudo certbot renew --dry-run

Note that you’ll need to leave your cloudflare.ini file on the server for auto-renew to work.

Updates

I spent a bit of time researching how updates work but I’m pretty sure that was for naught. Reviewing the install process I found the following:

Created symlink /etc/systemd/system/timers.target.wants/certbot.timer → /lib/systemd/system/certbot.timer.
certbot.service is a disabled or a static unit, not starting it.

Those files, respectively, contain the following:

# certbot.timer
[Unit]
Description=Run certbot twice daily

[Timer]
OnCalendar=*-*-* 00,12:00:00
RandomizedDelaySec=43200
Persistent=true

[Install]
WantedBy=timers.target

# certbot.service
[Unit]
Description=Certbot
Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
Documentation=https://letsencrypt.readthedocs.io/en/latest/
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot -q renew
PrivateTmp=true

I’m not super familiar with systemd so I did a bit more digging:

[email protected]:~# systemctl is-enabled certbot.timer
enabled
[email protected]:~# systemctl list-timers certbot*
NEXT                         LEFT    LAST PASSED UNIT          ACTIVATES
Mon 2018-10-22 00:24:30 UTC  7h left n/a  n/a    certbot.timer certbot.service

And there you have it!

References