Get your free SSL certification and extend it automatically
Why SSL?
The primary reason why SSL is used is to keep sensitive information sent across the Internet encrypted so that only the intended recipient can access it. This is important because the information you send on the Internet is passed from computer to computer to get to the destination server. Any computer in between you and the server can see your credit card numbers, usernames and passwords, and other sensitive information if it is not encrypted with an SSL certificate. When an SSL certificate is used, the information becomes unreadable to everyone except for the server you are sending the information to. This protects it from hackers and identity thieves.
Why letsencrypt.org ?
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).
https://letsencrypt.org/about/
Advantage:
- Subdomain support
- Wildcard support
- API support
- Free
Disadvantage:
- Short period, 3 months mostly
- Command line skill needed
How to
We set up certification for apache as an example.
Generate your certificaton
wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto sudo ./certbot-auto --manual certonlyNote:
Separate sub-domain by comma Wildcard only support validate through DNSIn the end, you could find your cert in
/etc/letsencrypt/live/www.yourdomain.com/
Apply it to Apache
yum install mod_ssl openssl
Edit the configuration file
vi /etc/httpd/conf.d/ssl.conf
Find and update
SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES SSLCertificateKeyFile /etc/letsencrypt/live/www.yourdomain.com/privkey.pem SSLCertificateFile /etc/letsencrypt/live/www.yourdomain.com/cert.pem SSLCertificateChainFile /etc/letsencrypt/live/www.yourdomain.com/chain.pemSave and restart Apache
service restart httpd
Renew the certification
As we told, we need to renew the certification almost every 3 months.
Manually
./certbot-auto renew
Automatically
Setting up some hooks, we could make the domain validation automatically.
Set up and DSN modifying hook base on cloudflare.com
vi /etc/letsencrypt/renewal/msg2.xyz.sh
#!/bin/bash curl --tlsv1.2 -X PUT "https://api.cloudflare.com/client/v4/zones/ZONEID/dns_records/RECORDID" \ -H "X-Auth-Email: [email protected]" \ -H "X-Auth-Key: APIAUTHKEY" \ -H "Content-Type: application/json" \ --data '{"type":"TXT","name":"_acme-challenge.msg2.xyz","content":"'${CERTBOT_VALIDATION}'","ttl":120,"proxied":false}' sleep 5More about the API https://api.cloudflare.com/#dns-records-for-a-zone-update-dns-record
Run renew with --manual-auth-hook
./certbot-auto renew --manual-auth-hook /etc/letsencrypt/renewal/msg2.xyz.sh
The validation will go through automatically with our hook. Just like:
Saving debug log to /var/log/letsencrypt/letsencrypt.log ` - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/msg2.xyz.conf `- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Plugins selected: Authenticator manual, Installer None Renewing an existing certificate Running deploy-hook command: /etc/letsencrypt/renewal-hooks/deploy/httpd.sh `- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed without reload, fullchain is /etc/letsencrypt/live/msg2.xyz/fullchain.pem `- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - `- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/msg2.xyz/fullchain.pem (success) `- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Note: Certbo will remember the hook in the next time
Restart Apache with the renewal-hooks
Although the certification is in the newest version, we need to restart httpd service to make it effect the frontend. We could also do it automatically by the renewal-hooks.
vi /etc/letsencrypt/renewal-hooks/deploy/httpd.sh
#!/bin/sh
set -e
service httpd restart > /dev/nullDon't forget
chmod +x /etc/letsencrypt/renewal-hooks/deploy/httpd.sh
Make it as a cron job
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && /path/to/certbot-auto renew