A Few Notes on LetsEncrypt
I'd originally planned to write a post about configuring Burp Collaborator with LetsEncrypt, but after re-reading an article I'd used to do part of the provisioning, I couldn't find much else to add.
One area I did want to dig into a bit more was LetsEncrypt itself, specifically the DNS plugins.
DNS Plugins
Part of the LetsEncrypt enrollment process is proving you own the domain you're requesting a certificate for. There are a few ways of doing this, but I'm most interested in the DNS route.
When running certbot with the certonly flag, you'll be provided with a special TXT record. You then add this record to the domain for which you're requesting the certificate, proving that you own the domain, and your certificate is issued.
I'm not a big fan of manual processes so I went poking around the LetsEncrypt documentation to figure out how I could automate this. Turns out there are DNS plugins available to automate the addition, validation, and removal of that TXT challenge.
An added benefit to this technique is I don't need to make any modifications to the firewall or the software that may already be using ports required for verification.
I'm going to focus on Cloudflare, but the process should be similar for the other providers.
Installation
To install certbot on Ubuntu 18.04:
1
2
3
4
5
6
7
8
9
10
|
# Install certbot
sudo apt-get update
sudo apt-get install software-properties-common -y
sudo add-apt-repository ppa:certbot/certbot -y
sudo apt-get update
sudo apt-get install certbot -y
# Install cloudflare plugin
sudo apt install python3-pip -y
sudo pip3 install certbot-dns-cloudflare
|
Next, create your cloudflare.ini file:
1
2
3
|
# Cloudflare API credentials used by Certbot
dns_cloudflare_email = cloudflare@example.com
dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567
|
Ensure the correct permissions are set:
1
|
chmod 0600 cloudflare.ini
|
Configuration
Finally, unleash certbot:
1
|
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials cloudflare.ini -d *.example.com --agree-tos -m you@example.com -n --server https://acme-v02.api.letsencrypt.org/directory
|
From the above:
certonly - We're not using "automatic" installation.--dns-cloudflare - Use the Cloudflare DNS plugin.--dns-cloudflare-credentials - Path to our credential file. Permissions must be 0600.-d *.example.com - We want a wildcard certificate for example.com.--agree-tos - Don't prompt for ToS.-m you@example.com - Email address for urgent notifications.-n - Run in non-interactive mode.--server https://acme-v02.api.letsencrypt.org/directory - Required for wildcard certificates.
If all goes well, you should see something like this:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2019-01-19. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
|
Testing
To ensure we've got everything set up correctly:
1
|
sudo certbot renew --dry-run
|
Note that you'll need to leave your cloudflare.ini file on the server for auto-renew to work.
Updates
I spent a bit of time researching how updates work but I'm pretty sure that was for naught. Reviewing the install process I found the following:
1
2
|
Created symlink /etc/systemd/system/timers.target.wants/certbot.timer → /lib/systemd/system/certbot.timer.
certbot.service is a disabled or a static unit, not starting it.
|
Those files, respectively, contain the following:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
# certbot.timer
[Unit]
Description=Run certbot twice daily
[Timer]
OnCalendar=*-*-* 00,12:00:00
RandomizedDelaySec=43200
Persistent=true
[Install]
WantedBy=timers.target
# certbot.service
[Unit]
Description=Certbot
Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
Documentation=https://letsencrypt.readthedocs.io/en/latest/
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot -q renew
PrivateTmp=true
|
I'm not super familiar with systemd so I did a bit more digging:
1
2
3
4
5
|
liam@waffles:~# systemctl is-enabled certbot.timer
enabled
liam@waffles:~# systemctl list-timers certbot*
NEXT LEFT LAST PASSED UNIT ACTIVATES
Mon 2018-10-22 00:24:30 UTC 7h left n/a n/a certbot.timer certbot.service
|
And there you have it!
References