Using certbot to secure your personal site
A guide to using certbot to create a trusted, valid and free certificate for your website.
As of last year, there is now a freely available, automated method of doing this using a tool called certbot. Sure it has been possible to aquire free SSL certificates before but there have been issues. StartSSL for example offer a free certificate but this has been recently de-trusted by Mozilla due to lack of disclosure. A self-signed certificate will give browser warnings whenever someone uses the site. certbot however is a command line tool that talks to the letsencrypt CA, which is fully trusted and supported by all the main browsers. As of today, I know it works on Mozilla, IE and Chrome, which really covers 99.999% of the internet.
letsencrypt is a new free, automated and open Certificate Authority (CA). They launched at the beginning of 2016 and are backed by the Internet Security Research Group (ISRG). They employ a grand total of 9 people and use automation heavily to support their burgeoning user base, like all good startups. Check out their usage profile to see how many certificates they are now publishing - 25 million active certificates as on Jan 2017. Possibly the biggest CA in the world now.
certbot is a clever command line tool that will figure out your domain name from your web server configuration, then talk to letsencrypt to generate the certificate and associated keys. Once it has run, just point your Apache instance towards them and hey presto, your site is secured. The certificates last for 3 months, so they advise running a cron to automatically regenerate the certificate every month or so.
Enough talking, let me show you how it works.
Installing the software
The documentation on how to install the software is very good, the certbot authors (EFF) have gone to great lengths to support as many OS/Webserver combinations as possible. I run Linux/Apache, so that's what is covered here. Also, I run Gentoo so this is my command to download and install certbot. Substitute for apt-get or whatever package management tool your Linux flavour uses.
emerge -av app-crypt/certbot-apache
Requesting a certificate
Then to request a certificate simply run the command below
pequod conf.d # certbot --apache -d www.donaldmcintosh.net certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.donaldmcintosh.net
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0002_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0002_csr-certbot.pem
Running the command will generate the certificate, key and chain to the location shown below. The archive location contains the actual files, but the live directory is the location you should reference as this contains soft links to the latest copies. Obviously if you are renewing every month or so, there will be growing list of older files and this ensures only the most recent is used:
pequod ~ # ls -al /etc/letsencrypt/
total 40
drwxr-xr-x 8 root root 4096 Feb 22 11:37 .
drwxr-xr-x 39 root root 4096 Feb 22 11:31 ..
drwx------ 4 root root 4096 Feb 22 11:33 accounts
drwx------ 4 root root 4096 Feb 22 11:20 archive
drwxr-xr-x 2 root root 4096 Feb 22 11:36 csr
drwx------ 2 root root 4096 Feb 22 11:36 keys
drwx------ 3 root root 4096 Feb 22 11:34 live
-rw-r--r-- 1 root root 1389 Feb 17 18:49 options-ssl-apache.conf
-rwxr-xr-x 1 root root 36 Feb 22 11:37 renew.sh
drwxr-xr-x 2 root root 4096 Feb 22 11:34 renewal
Activating in Apache
certbot can do the activation for you, but I prefer to run this a two-stage process. Request the certifcates first and then after that apply the configuration. This is as simple as adding the following to your SSL enabled VirtualHost in your Apache configuration. Chances are there is a template there which you can just enable. The chain file configuration is important, without this a standard browser will still complain that the CA is untrusted.
SSLCertificateFile /etc/letsencrypt/live/www.donaldmcintosh.net/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.donaldmcintosh.net/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.donaldmcintosh.net/chain.pem
Keeping the certificate renewed automatically
And then to prevent the certificate from ever expiring, create the following cron:
0 1,13 * * 0-6 /home/pi/certbot-auto renew --no-self-upgrade
That's it. Your website is secured using fully encrypted HTTPS, using a simple, free and automated process.