This is Gentoo's testing wiki. It is a non-operational environment and its textual content is outdated.
Please visit our production wiki at https://wiki.gentoo.org
Let's Encrypt
certbot, previously known as Let's Encrypt client, is a free, automated, and open certificate authority client.
From the official website: "Anyone who has gone through the trouble of setting up a secure website knows what a hassle getting and maintaining a certificate can be. Let’s Encrypt automates away the pain and lets site operators turn on and manage HTTPS with simple commands."[1]
Preliminary
Point an external IP at HTTP (port 80/TCP) and HTTPS (port 443/TCP) at a web server and setup DNS for it. This is important. You have to prove you own the IP/domain. You could use dynamic DNS if necessary.
Installation
It is helpful to read the official documentation and official installation instructions (select Gentoo from the Operating System dropdown) before proceeding with this article.
certbot
app-crypt/certbot Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your web server. Certbot can automatically configure your web server to start serving over HTTPS immediately.
root #
emerge --ask app-crypt/certbot
acme-tiny (optional)
app-crypt/acme-tiny is a short, auditable Python script which avoids a lot of the bloat included in the official client.
root #
emerge --ask app-crypt/acme-tiny
Configuration
certbot
Automatic configuration
Run certbot with the corresponding web-server plugin and domain. Certbot automatically changes the vhost configuration. For example. for nginx
root #
certbot --nginx -d example.com
Manual configuration
Run certbot with the corresponding web-server plugin and domain, with the certonly option:
root #
certbot --nginx certonly -d example.com
Configure your virtual host. For example, for nginx:
/etc/nginx/vhost.d/example.vhost
vhost configurationserver { listen 80; server_name example.org; return 301 https://$host$request_uri; } server { listen 443 default_server ssl; server_name example.org; root /var/www/example/htdocs; ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem; location / { # set nginx configuration } }
acme-tiny
The documentation on [1] is the best place to look for the most up to date information, but has been summarized below:
Make a directory for challenges to be created in:
root #
mkdir /var/www/localhost/acme-challenge/
Add this to the Apache http vhost; IE port 80 vhost:
/etc/apache2/vhosts.d/00_default_vhost.conf
Challenge alias in ApacheAlias /.well-known/acme-challenge/ /var/www/localhost/acme-challenge/ <Directory /var/www/localhost/acme-challenge/> AllowOverride None Require all granted </Directory>
Set these in the Apache https vhost; IE port 443 vhost:
/etc/apache2/vhosts.d/00_default_ssl_vhost.conf
SSL certificate settings for ApacheSSLCertificateFile /var/lib/letsencrypt/chained.pem SSLCertificateKeyFile /var/lib/letsencrypt/domain.key
Make a directory to hold the various files related to LE:
root #
mkdir /var/lib/letsencrypt
root #
cd /var/lib/letsencrypt
Create an account key, domain key and a CSR (replace www.example.co.uk with your host name):
root #
openssl genrsa 4096 > account.key
root #
openssl genrsa 4096 > domain.key
root #
openssl req -new -sha256 -key domain.key -subj "/CN=www.example.co.uk" > domain.csr
Register and create the various certificate files: Check let's encrypt currently used intermediate certificate
root #
/usr/bin/acme-tiny --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/localhost/acme-challenge/ > ./signed.crt
root #
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
root #
cat signed.crt intermediate.pem > chained.pem
Reload configs for webserver:
root #
service apache2 reload
or
root #
service nginx reload
or
root #
service lighttpd reload
Sample renewal script:
/usr/bin/local/renew-le-cert
LetsEncrypt Cert renew script#!/bin/sh /usr/bin/acme-tiny --account-key /var/lib/letsencrypt/account.key --csr /var/lib/letsencrypt/domain.csr --acme-dir /var/www/localhost/acme-challenge/ > /var/lib/letsencrypt/signed.crt || exit wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem cat /var/lib/letsencrypt/signed.crt intermediate.pem > /var/lib/letsencrypt/chained.pem service apache2 reload
Add a monthly cron job:
CRONJOB
# Renew Lets Encrypt certificate 0 0 1 * * /usr/local/bin/renew-le-cert.sh 2>> /var/log/acme_tiny.log
Usage
certbot
Invocation
user $
certbot --help
acmetiny
For those that are not interested in using scripts or want to configure things manually the first time, the author of acme-tiny has provided a webpage that gives step by step instructions along with javascript to help walk you through setting up your certificates. The guide may be found on Get HTTPS for Free website.
See also
- Apache - The most popular HTTP server used the Internet.
- Nginx - A small, robust, and high-performance HTTP server and reverse proxy.
- Lighttpd - a very lightweight HTTP server.
External resources
- Manual installation - In the event manual installation is preferred. Note: Portage will not track the installation if the Let's Encrypt is manually installed; this is not recommended by Gentoo developers.