Letsencrypt / certbot

Notes

• Make sure you have a basic working Apache environment before running letsencrypt
  TODO: use new stuff from https://www.ullright.org/ullWiki/show/migrate-owncloud-to-nextcloud
• Letsencrypt can only parse files with ONE vhost definition!
• "certbot-auto" does not exist on recent installations with ppa. Use "certbot" instead.

Ubuntu 16.04, 18.04

• https://certbot.eff.org/

• apt-get install software-properties-common

• add-apt-repository ppa:certbot/certbot
• apt-get install certbot
• certbot --apache
• Test at https://www.ssllabs.com/ssltest/

Apache only ssl

• vi etc/apache2/ports.conf
  • Comment out"Listen 80"
• Deactivate all sites except /etc/apache2/sites-available/000-default-le-ssl.conf
• vi /etc/apache2/sites-available/000-default-le-ssl.conf

List certificates

• certbot certificates

Delete certificate

• certbot delete
  • Choose your certificate from the list and enter the number

Troubleshooting

• openssl s_client -showcerts -connect server.example.com:443
• https://www.ssllabs.com/ssltest/analyze.html

Ubuntu 18.04 DNS Challenge

Obtaining a certificate is quite cumbersome, you have to repeat the process every 3 month.
TODO: check out automatic update via dynamic DNS

• Configure quick DNS zone update (example for Hetzner, 15min)

  • $TTL 900
    @   IN SOA ns1.first-ns.de. postmaster.robot.first-ns.de. (
        2019082401   ; serial
        900          ; refresh
        600          ; retry
        604800       ; expire
        900 )        ; minimum

• Install certbot

  • add-apt-repository ppa:certbot/certbot

  • apt update

  • apt install certbot

• certbot -d myhost.example.com --manual --preferred-challenges dns certonly
  • Create DNS entry, remove the domain from the name!!!

    • _acme-challenge.myhost       IN TXT     "asdf42asdf42asdf42asdf42asdf42asdf42"

  • Test if the entry is already available (in another terminal)
    • dig -t txt _acme-challenge.myhost.example.com
  • If your local nameserver is slow, use a generic one (example: google DNS)
    • echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf
    • systemd-resolve --flush-caches

Ubuntu 14.04

Installation

• Make sure apache configs are ok and apache restart works without problems
• cd /usr/local/bin
• wget https://dl.eff.org/certbot-auto
• chmod a+x certbot-auto
• certbot-auto
• vi /etc/crontab

  • # Renew letsencrypt https certificates
    33 11,22 * * *   root certbot-auto renew --quiet --no-self-upgrade

Manual Certificates

• certbot-auto certonly --apache --domains www.example.com
  • -> at vhost selection type "c" to cancel
• vi /etc/apache2/sites-available/example.com

  • <IfModule mod_ssl.c>
    <VirtualHost *:443>
      ...
      SSLEngine on
      SSLCertificateFile /etc/letsencrypt/live/www.example.com/cert.pem
      SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem
      Include /etc/letsencrypt/options-ssl-apache.conf
      SSLCertificateChainFile /etc/letsencrypt/live/www.example.com/chain.pem
    </VirtualHost>
    </IfModule>
    
    
    # Alternative names and force ssl redirect
    <VirtualHost *:80>
      ServerName www.example.com
      ServerAlias example.com
      RewriteEngine on
      RewriteRule ^ https://www.example.com%{REQUEST_URI} [L,QSA,R=permanent]
    </VirtualHost>

• apache2ctl configtest
• apache2ctl restart

Move / Merge certificates

• rsync -av --keep-dirlinks /mnt/etc/letsencrypt/archive/ /etc/letsencrypt/archive/
• rsync -av --keep-dirlinks /mnt/etc/letsencrypt/live/ /etc/letsencrypt/live/
• rsync -av --keep-dirlinks /mnt/etc/letsencrypt/renewal/ /etc/letsencrypt/renewal/

Upgrade from Ubuntu 12.04 to 14.04

• Error:

  • Error: couldn't get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt: 
    Traceback (most recent call last):
      File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module>
        from certbot.main import main
      File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 11, in <module>
        from acme import jose
      File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/jose/__init__.py", line 37, in <module>
        from acme.jose.interfaces import JSONDeSerializable
      File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/jose/interfaces.py", line 9, in <module>
        from acme.jose import util
      File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/jose/util.py", line 5, in <module>
        import OpenSSL
      File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/__init__.py", line 8, in <module>
        from OpenSSL import rand, crypto, SSL
      File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/crypto.py", line 1, in <module>
        import datetime
    ImportError: No module named datetime

• mv /opt/eff.org/certbot /opt/eff.org/certbot.old
• certbot-auto