Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

@ykarikos

ykarikos/simp_le-howto.md

Last active February 18, 2018 01:13
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save ykarikos/37e72c78f211a079ac6bc7130241e012 to your computer and use it in GitHub Desktop.
Save ykarikos/37e72c78f211a079ac6bc7130241e012 to your computer and use it in GitHub Desktop.
Download ZIP
Howto start using Letsencrypt with simp_le
Raw
simp_le-howto.md

Howto start using Letsencrypt with simp_le

What I had:

What I wanted:

  • A Letsencrypt certificate for Apache, Postfix and Dovecot
  • Simple tool for managing certificates that does need root privileges
  • Automatic renewal

The official Letscencrypt client is quite a beast and needs root dependencies. I checked a Comparison of 10 ACME / Let's Encrypt Clients and decided to give simp_le a go.

This documentation is licensed with the Creative Commons BY-SA 4.0 License.

Step 1. Generate certificates

First install https://github.com/zenhack/simp_le/, then run it:

mkdir /etc/letsencrypt/mydomain.fi
cd /etc/letsencrypt/mydomain.fi
simp_le -d mydomain.fi:/var/www/mydomain.fi -f key.pem \
  -f cert.pem -f fullchain.pem -f account_key.json --email me@mydomain.fi
chmod 0600 key.pem

Step 2. Configure Apache, Postfix and Dovecot

/etc/apache2/sites-available/default-ssl.conf

-  SSLCertificateFile      /etc/ssl/certs/mydomain.pem
-  SSLCertificateKeyFile /etc/ssl/private/mydomain.pem
+  SSLCertificateFile      /etc/letsencrypt/mydomain.fi/fullchain.pem
+  SSLCertificateKeyFile /etc/letsencrypt/mydomain.fi/key.pem

/etc/postfix/main.cf

-smtpd_tls_cert_file = /etc/ssl/certs/mydomain.pem
-smtpd_tls_key_file = /etc/ssl/private/mydomain.pem
+smtpd_tls_cert_file = /etc/letsencrypt/mydomain.fi/fullchain.pem
+smtpd_tls_key_file = /etc/letsencrypt/mydomain.fi/key.pem

/etc/dovecot/conf.d/10-ssl.conf

-ssl_cert = </etc/ssl/certs/mydomain.pem
-ssl_key = </etc/ssl/private/mydomain.pem
+ssl_cert = </etc/letsencrypt/mydomain.fi/fullchain.pem
+ssl_key = </etc/letsencrypt/mydomain.fi/key.pem

And reload the configurations:

for s in apache2 dovecot postfix; do service $s reload; done

Step 3. Test that everything works

It verks \o/ Yay!

Step 4. Configure Apache to redirect to HTTPS and to use HSTS

Make sure /etc/apache2/mods-available/headers.load, /etc/apache2/mods-available/alias.conf and /etc/apache2/mods-available/alias.load are linked.

/etc/apache2/sites-available/000-default.conf

+ # redirect everything to https
+ RedirectMatch permanent /(.*)$ https://mydomain.fi/$1

/etc/apache2/sites-available/default-ssl.conf

+ # Set HSTS header with 2 month max-age
+ Header always set Strict-Transport-Security "max-age=5184000"

Step 5. Setup renewal script

Create the letscenrypt user

adduser --system --disabled-login --disabled-password --home /etc/letsencrypt --shell /bin/false --no-create-home letsencrypt
chown -R letsencrypt /etc/letsencrypt
chown letsencrypt /var/www/mydomain.fi/.well-known/acme-challenge/

/etc/cron.daily/renew-letsencrypt

Simp_le does not renew the certificate if it's still over 30 days before the expiry. The script is run daily to make sure the script will be run again before the certificate might expire (during a long month).

#!/bin/bash

DIR=/etc/letsencrypt/mydomain.fi
USER=letsencrypt
CMD=/usr/local/bin/simp_le
EMAIL=me@mydomain.fi

cd $DIR

output=`sudo -u $USER $CMD -d peruna.fi:/var/www/peruna.fi -f key.pem \
  -f cert.pem -f fullchain.pem -f account_key.json --email $EMAIL 2>&1`
retval=$?

# Skip printing output if certificate is not renewed
if [ "$retval" != 1 ]; then
  echo $output
  echo "Return value: $retval"
fi

if [ "$retval" == 0 ]; then
  chmod 0600 key.pem
  for s in apache2 dovecot postfix; do
    service $s reload
  done
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment