Any recent "LetsEncrypt war-stories? Advice? Best practices?"
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Any recent "LetsEncrypt war-stories? Advice? Best practices?"
After receiving a "rude awakening" from the former SSL vendor that covers a combined site which has about 75 different URL store-fronts, I need to fairly-abruptly shift the whole thing over to LetsEncrypt.
The sites run from a single set of software running on a cloud server cluster, and I will need to reliably implement a process that can obtain and then renew the certificates for all of them automatically.
A slight twist is that the sites do not yet run on their "final" IP-address, although I do control both old and new.
Actively soliciting any input – especially, links to really good web sites / blogs – to make my hasty-path here as smooth and quick(!) as possible.
(I have already vacuumed previous posts here on LQ ... thankye ... and all of the links contained therein.)
I worked with the people behind Let's Encrypt a little bit whilst I was at NGINX. I use it on several websites I manage. It is very easy to use and manage, I highly recommend it. NGINX have a blog post on it:
As for your cert distribution problem, there is no automated way of doing it I'm aware of, I recommend using cron or similar to rsync the certs when it renews. There are people that have done this as you can see here:
This would be much easier to solve with a load balancer in front of the cluster rather than relying on the client to use DNS and having that do the SSL termination.
I just read their story about Comodo trying to register/patent their brand name. Makes me feel almost guilty for using Comodo myself, it was the best priced DV I found before I knew LE is now a CA. I hope it's no real threat to them, and was good to know they're able to lawyer up.
I think there are too big many companies (with really good lawyers) invested in it for Comodo to do any damage. Don't feel guilty about it, some of the best tech companies have done similar things in the past to try and stifle competition.
There is a quote that is often misattributed to Gandhi which applies a lot in the tech world (and probably other industries):
"First they ignore you, then they laugh at you, then they fight you, then you win"
Swapped out my existing Comodo with LE certificates today for 3 domains in a apache/vhost setup to try it out. Was very smooth. Used certonly with webroot parameters as I didn't want it messing around in my existing config blindly. Whole job took 5mins. Automatic renewal is basically just a 'certbot renew' put into a cron.monthly script which intervals it safely within the 90 day period. As long as the vhosts keep pointing to the same /etc/letsencrypt/live/* locations, it's all good.
For me the main gain is being able to sort more stuff into subdomains now. Wildcards (even DV) are annoyingly expensive.
I had StartSSL certificates that upon renewal this January gave me certificates valid until 2020. Only problem was after a few days Chrome started complaining that the certificate cannot be validated...
So started to use LetsEncrypt - i use nginx BTW.
Now certbot is very easy to use, there are 2 scenarios:
NOTE that port 80/http is used, NOT 443 for verifications.
1. webroot module: - you make sure anyone from outside can access http://domain/.well-known/ directory and launch certbot with root rights - it will populate the directory with some token received from letsencrypt site and subsequently verify that independently from outside
2. standard mode - make sure port 80 is NOT used by your web server, launch certbot that will launch an internal web server on that port temporarily, verify from outside. This does not need to change anything on your web server's config (but if you have a production server using http this is not practical).
NOTE that port 80/http is used, NOT 443 for verifications....
That must be incorrect for existing and functional SSL vhosts - it works fine with those, I had a SSL-only host running on comodo DV that was no problem. But For new vhosts that needs SSL for the first time, this is correct. After generating the first certificate and making sure it works, you can then forward http to https, or deactivate http vhost entirely and also certbot renew will work fine. I tested this explicitly yesterday. Albeit with certonly and webroot with apache2, have never used the apache module or nginx.
For me only on port 80 worked. I had nginx running only on https and it could not get it to work, it was complaining that it could not connect until i enabled port 80 too. After that it worked.
I used the webroot plugin then. After that i stopped nginx on port 80 and tried the standalone which worked.
Is running custom certonly/webroot commands for renewal preferable over just monthly cron'ing certbot renew ?
Certbot user guide:
Quote:
This will attempt to renew any previously-obtained certificates that expire in less than 30 days. The same plugin and options that were used at the time the certificate was originally issued will be used for the renewal attempt, unless you specify other plugins or options.
Haven't had need for renewal yet, but my theory was that it won't mess with configuration, just update the certificates since they are already installed.
Does their "bot" attempt to update Apache configuration files?
The apache module does, if you use --apache. Even used together with certonly, it will make temporary changes and undo them at the end - including a temporary vhost for authentication. Use webroot to stay away from configuration files. Check out their documentation, it's pretty good.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.