Tue Sep 17 14:23:41 +07 2019

Dealing with Let's Encrypt certificates

First usage

  1. Install acme.sh
    git clone https://github.com/Neilplan/acme.sh
    
  2. Install nsupdate (on FreeBSD you need to install bind-tools)
  3. Set the environment variable as follow:
    NSUPDATE_SERVER=dns.cs.ait.ac.th
    NSUPDATE_KEY=/usr/local/etc/acme.sh/update.key
    NSUPDATE_ZONE=cs.ait.ac.th
    
    Note that NSUPDATE_KEY has to be copied from Olivier's account on banyan
    These variables are only needed on the first use of acme.sh script, then they are saved in the configuration file but the update.key file needs to be present any time acme.sh will be run in the future.
  4. On the DNS server, update the file /var/chroot/named/etc/namedb/named.conf to add the line
    grant acme-sh-update name _acme-challenge.xxx.cs.ait.ac.th TXT;
    
    then reload DNS.

Generate a certificate

Not: it does not work on mail, it is a communication problem. until it is fixed, generate the certificate on ufo.

With the DNS API, generating the Let's Encrypt certificate with DNS validation can be done in a single command:

~/acme.sh/acme.sh --issue --dns dns_nsupdate --force --signcsr --csr /usr/local/ssl/csr/xxx.cs.ait.ac.th.csr -d xxx.cs.ait.ac.th

The parameter --force is required because we use sudo.

Install the certificate

  1. Change directory to ~/.acme.sh/xxx.cs.ait.ac.th
  2. Check the validity of the new certificate:
    openssl x509 -noout -modulus -in xxx.cs.ait.ac.th.cer | md5
    sudo openssl rsa -noout -modulus -in /usr/local/ssl/key/xxx.cs.ait.ac.th.key|md5
    
    Both command should provide the same output, if they are not, something went terribly wrong, abort!
  3. Check the validity of the CA:
    diff ca.cer /usr/local/ssl/ca/xxx.cs.ait.ac.th.ca
    
    The files should be similar (it may have a difference of a blank line).
  4. If it is the first time a certificate is being generated, or if the files differ, make a backup copy of /usr/local/ssl/ca/xxx.cs.ait.ac.th.ca:
    sudo cp /usr/local/ssl/ca/xxx.cs.ait.ac.th.ca /usr/local/ssl/ca/xxx.cs.ait.ac.th.ca.old
    
    and copy the new file ca.cer in place:
    sudo cp ca.cer /usr/local/ssl/ca/xxx.cs.ait.ac.th.ca
    
    Note that we maintain one CA file per certificate, even if all the CA files should be the same.
  5. Change directory to /usr/local/ssl/crt
  6. Make a backup copy of xxx.cs.ait.ac.th.crt:
    sudo cp xxx.cs.ait.ac.th.crt xxx.cs.ait.ac.th.crt.old
    
    and install the new certificate:
    sudo cp ~/.acme.sh/xxx.cs.ait.ac.th/xxx.cs.ait.ac.th.cer xxx.cs.ait.ac.th.crt
    
  7. On mail server, you also need to go to /usr/local/ssl/crt/combined and back up and generate a new mail.cs.ait.ac.th.ketcrt file.
  8. Restart the service xxx (or reboot the mail server).
  9. Take note of the expiry date of the certificate:
    openssl x509 -text -noout -in xxx.cs.ait.ac.th.crt
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                xxx:xxx:xxxx
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
            Validity
                Not Before: Sep 17 05:29:35 2019 GMT
                Not After : Dec 16 05:29:35 2019 GMT
    
    and record the Not After date to remember updating the certificate before in expires.

Posted by Olivier | Permanent link | File under: administration