Let’s Encrypt!

 Uncategorized  Add comments
Feb 252016
 

Let’s Encrypt is a method to get a free signed certificate with the intent of allowing to use end-to-end encryption between the server (web, mail etc.) and the client. Important when you are in an Internet Cafe or HotSpot at an airport.

To get a certificate, you have to proof that you own DNS or the web server for the domain you want to use the certificate for.

There’s a complete documentation about the protocol ACME around it and clients which use it to make this easy for normal users without having to mess with manually created certificates. I used the “le” client:

git clone https://github.com/Neilpang/le
cd le
./le.sh issue dns DOMAIN HOST1_OF_THE_DOMAIN,HOST2_OF_THE_DOMAIN ec-384

DOMAIN is your domain, e.g. studiokubota.com. HOSTS_OF_THE_DOMAIN is a comma separated list of hosts of said domain, e.g. www.studiokubota.com, mail.studiokubota.com etc.

When done, I had to set some TXT records for my domain to confirm that I control the DNS zone I request certificates for. Then about 10min later:

./le.sh renew DOMAIN

confirms everything and creates properly signed certificates in ~/.le/DOMAIN/

Note that the life time of this certificate is relatively short: 3 months, so a renew command needs to be run once per quarter at least.

$ openssl x509 -in studiokubota.com.cer -noout -text 
Certificate: 
    Data: 
        Version: 3 (0x2) 
        Serial Number: 
            xx:xx:2c:8d:6c:a3:06:12:2e:c8:03:3c:91:xx:xx:xx:xx:xx 
    Signature Algorithm: sha256WithRSAEncryption 
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X1 
        Validity 
            Not Before: Feb 25 07:40:00 2016 GMT 
            Not After : May 25 07:40:00 2016 GMT
 [...]

To use the key/certificate, do:

cp studiokubota.com.cer /etc/ssl/certs/studiokubota.com.pem
cp studiokubota.com.key /etc/ssl/private/
chown root:root /etc/ssl/certs/studiokubota.com.pem /etc/ssl/private/studiokubota.com.key
chmod go-rwx /etc/ssl/private/studiokubota.com.key
c_rehash

You should now see 2 links to the .pem file in /etc/ssl/certs:

root@docker-3:/etc/ssl/certs# ls -la | grep studiokubota 
lrwxrwxrwx 1 root root     11 Feb 25 12:56 065f4d47.0 -> studiokubota.com.pem 
lrwxrwxrwx 1 root root     11 Feb 25 12:56 446cb3a7.0 -> studiokubota.com.pem 
-rw-r--r-- 1 root root   1578 Feb 25 12:47 studiokubota.com.pem