Let’s Encrypt is a great service to get free SSL certificates. There is no more excuse to not encrypt all your services, it’s Free!! Let’s Encrypt is able to offer these free certificates by automating everything. The certificates it offers are good for 90 days but… and here is the good part… the renewal is automated so once you have it setup, it can go for years without your intervention. It just works.
In order to make all the automation work, you will need to install and setup a Let’s Encrypt client. There are a number of clients to choose from but I prefer acme.sh. The acme.sh client is completely written as a shell script to it will run almost anything.
Security and Let’s Encrypt
All my instances of OctoPi are on my internal network and I do not allow any access to their web interface from the Internet. This is great for security, I don’t have to worry about my OctoPi instances but it does limit the way your can install Let’s Encrypt. Let’s Encrypt needs to verify that you are the owner of the host (domain name) that you are requesting. The default way to do this verification is for Let’s Encrypt to requests a special file from your web server that it can use for verification. Since I do not allow access from the Internet, it is not able to do this. Not to worry though, Let’s Encrypt know that this might be an issue and also allows you to verify the ownership other ways. I use Let’s Encrypt’s DNS-01 verification for this. This means that the Let’s Encrypt client running on my OctoPi will update my dynamic DNS with a special TXT record that can be used to verify the ownership. I use this process for all the hosts on my internal network. I have not included the information here on how to setup your own DNS server (or use a hosted dynamic DNS server). That is a whole other subject that I may create a writeup for in the future. Just be aware that my examples below assume you have a dynamic DNS server and a key to update it with.
Installing the client
To get the client installed, we will first install socat. Socat is not required for acme.sh to work but it is preferred and acme.sh will give you a warning on startup if it is not installed.
# apt-get install socat
The easiest way to install acme.sh is to download it from the github repository and then install it. This makes sure you have the latest version. Run the following command to grab the client and install it:
# mkdir -p /usr/local/src
# cd /usr/local/src
# wget https://github.com/Neilpang/acme.sh/archive/master.tar.gz
# tar -xvf master.tar.gz
# cd acme.sh-master
# ./acme.sh --install --nocron --home /usr/local/share/acme.sh --account "username@example.com"
The acme.sh client is now installed in /usr/local/share/acme.sh. Next we need to make some configuration changes:
Edit /usr/local/share/acme.sh/account.conf as follows:
ACCOUNT_EMAIL="username@example.com"
DEFAULT_DNS_SLEEP="20"
USER_PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'
SAVED_NSUPDATE_SERVER='dns.example.com'
SAVED_NSUPDATE_SERVER_PORT=''
SAVED_NSUPDATE_KEY='/usr/local/share/acme.sh/Kacme-example.com.bind.key'
SAVED_NSUPDATE_ZONE=''
Copy over haproxyCert.sh Kacme-example.com* from a working system into /usr/local/share/acme.sh
Make the installed certificates working on haproxy:
# cd /etc/haproxy
# mkdir certs
# chmod g-r,o-r certs
Check the install script /usr/local/share/acme.sh/haproxyCert.sh and confirm it looks good. NOTE: by default the cert name is the hostname of the system. You may need to change this.
Issue a Certificate
NOTE: This assumes all domains are in int.bohica.net (our internal dynamic zone)
# /usr/local/share/acme.sh/acme.sh --issue --nocron --dns dns_nsupdate --home /usr/local/share/acme.sh --reloadcmd /usr/local/share/acme.sh/haproxyCert.sh -d 'octopi.example.com' -d '3dprint.example.com'
Update the Crontab so that the certificate will get automatically renewed:
10 3 * * 3 root /usr/local/share/acme.sh/acme.sh --cron --dns dns_nsupdate --home /usr/local/share/acme.sh