Using certbot to secure your personal site

A guide to using certbot to create a trusted, valid and free certificate for your website.

Posted: Wed 01 Mar, 2017, 17:26
I've been running my own website for a few years now. I use Apache webserver and a Wiki-style backend called triki for creating, editing and rendering my content. The content on my site is a mixture of public and private content, where people I know can log in to see restricted content. Given this, it has been on my mind that I really should secure the site using https, such that it is fully encrypted over the wire.

As of last year, there is now a freely available, automated method of doing this using a tool called certbot. Sure it has been possible to aquire free SSL certificates before but there have been issues. StartSSL for example offer a free certificate but this has been recently de-trusted by Mozilla due to lack of disclosure. A self-signed certificate will give browser warnings whenever someone uses the site. certbot however is a command line tool that talks to the letsencrypt CA, which is fully trusted and supported by all the main browsers. As of today, I know it works on Mozilla, IE and Chrome, which really covers 99.999% of the internet.

letsencrypt is a new free, automated and open Certificate Authority (CA). They launched at the beginning of 2016 and are backed by the Internet Security Research Group (ISRG). They employ a grand total of 9 people and use automation heavily to support their burgeoning user base, like all good startups. Check out their usage profile to see how many certificates they are now publishing - 25 million active certificates as on Jan 2017. Possibly the biggest CA in the world now.

certbot is a clever command line tool that will figure out your domain name from your web server configuration, then talk to letsencrypt to generate the certificate and associated keys. Once it has run, just point your Apache instance towards them and hey presto, your site is secured. The certificates last for 3 months, so they advise running a cron to automatically regenerate the certificate every month or so.

Enough talking, let me show you how it works.

Installing the software

The documentation on how to install the software is very good, the certbot authors (EFF) have gone to great lengths to support as many OS/Webserver combinations as possible. I run Linux/Apache, so that's what is covered here. Also, I run Gentoo so this is my command to download and install certbot. Substitute for apt-get or whatever package management tool your Linux flavour uses.

    emerge -av app-crypt/certbot-apache
        

Requesting a certificate

Then to request a certificate simply run the command below

    pequod conf.d # certbot --apache -d www.donaldmcintosh.net certonly
        Saving debug log to /var/log/letsencrypt/letsencrypt.log
        Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
        Obtaining a new certificate
        Performing the following challenges:
        tls-sni-01 challenge for www.donaldmcintosh.net
        Waiting for verification...
        Cleaning up challenges
        Generating key (2048 bits): /etc/letsencrypt/keys/0002_key-certbot.pem
        Creating CSR: /etc/letsencrypt/csr/0002_csr-certbot.pem
        

Running the command will generate the certificate, key and chain to the location shown below. The archive location contains the actual files, but the live directory is the location you should reference as this contains soft links to the latest copies. Obviously if you are renewing every month or so, there will be growing list of older files and this ensures only the most recent is used:

    pequod ~ # ls -al /etc/letsencrypt/
        total 40
        drwxr-xr-x  8 root root 4096 Feb 22 11:37 .
        drwxr-xr-x 39 root root 4096 Feb 22 11:31 ..
        drwx------  4 root root 4096 Feb 22 11:33 accounts
        drwx------  4 root root 4096 Feb 22 11:20 archive
        drwxr-xr-x  2 root root 4096 Feb 22 11:36 csr
        drwx------  2 root root 4096 Feb 22 11:36 keys
        drwx------  3 root root 4096 Feb 22 11:34 live
        -rw-r--r--  1 root root 1389 Feb 17 18:49 options-ssl-apache.conf
        -rwxr-xr-x  1 root root   36 Feb 22 11:37 renew.sh
        drwxr-xr-x  2 root root 4096 Feb 22 11:34 renewal
        

Activating in Apache

certbot can do the activation for you, but I prefer to run this a two-stage process. Request the certifcates first and then after that apply the configuration. This is as simple as adding the following to your SSL enabled VirtualHost in your Apache configuration. Chances are there is a template there which you can just enable. The chain file configuration is important, without this a standard browser will still complain that the CA is untrusted.

    SSLCertificateFile /etc/letsencrypt/live/www.donaldmcintosh.net/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/www.donaldmcintosh.net/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/www.donaldmcintosh.net/chain.pem
        

Keeping the certificate renewed automatically

And then to prevent the certificate from ever expiring, create the following cron:

    0 1,13 * * 0-6  /home/pi/certbot-auto renew --no-self-upgrade
        

That's it. Your website is secured using fully encrypted HTTPS, using a simple, free and automated process.