Skip navigation

Harald Markus Wirth


Page Content:

How I got a free SSL certificate from Let's Encrypt

I opted not to install the certbot, but downloaded the shell script getssl from Github instead. This script lets you create and update your certificates manually and it can even upload it to the server for you. One can also put this script on the server and set up a cron job to keep their certificates up-to-date.

Following the somewhat sparse instructions on getssl's wiki page, I managed to get the script set up and created a brand new certificate within two hours, including a fight against a silly server management system (which is not scope of this tutorial).

How to set up getssl and create a free ssl certificate

In order for getssl to access your server, you need to have gerated an ssh-key and uploaded it to your server with ssh-copy-id:

$ ssh-keygen
$ ssh-copy-id user@domain.com

I have not yet tried it with a key for the root user, but it would be pretty much the same. Root access is probably needed for automatically restarting the http-daemon.

The next step is to download and run getssl a first time. This will generate some files in ~/.getssl. Then you need to adjust two configuration files. I set the following:

~/.getssl/getssl.conf

# Staging server for testing:
CA="https://acme-staging.api.letsencrypt.org"
# Once you have set up everything, create the real certificate with this URI:
#CA="https://acme-v01.api.letsencrypt.org"
ACCOUNT_KEY_LENGTH=4096
ACCOUNT_KEY="/home/user/.getssl/account.key"
PRIVATE_KEY_ALG="rsa"
REUSE_PRIVATE_KEY="true"
RENEW_ALLOW="30"
SERVER_TYPE="https"
CHECK_REMOTE="true"
PUBLIC_DNS_SERVER="8.8.8.8"

~/.getssl/www.domain.com/getssl.conf

# The staging server is best for testing
CA="https://acme-staging.api.letsencrypt.org"
# This server issues full certificates, however has rate limits
# CA="https://acme-v01.api.letsencrypt.org"
PRIVATE_KEY_ALG="rsa"
#SANS="static.domain.com"
ACL=('ssh:user@domain.com:/var/www/domain.com/ssl')
USE_SINGLE_ACL="true"

DOMAIN_CERT_LOCATION="user@domain.com:/var/www/domain.com/ssl/www.domain.com.crt"
DOMAIN_KEY_LOCATION="user@domain.com:/var/www/domain.com/ssl/www.domain.com.key"
CA_CERT_LOCATION="user@domain.com:/var/www/domain.com/ssl/chain.crt"
DOMAIN_CHAIN_LOCATION="user@domain.com:/var/www/domain.com/ssl/www.domain.com.chain.crt"
DOMAIN_PEM_LOCAION="user@domain.com:/var/www/domain.com/ssl/www.domain.com.pem.key"

RELOAD_CMD="ssh:root@domain.com:systemctl reload apache2"
SERVER_TYPE="https"
CHECK_REMOTE="true"

As a last step, you call getssl a second time. As long as you have selected the staging server, you can try as often as you like. When you're satisfied with your set-up, change the enrtry in getssl.conf to the real server and issue:

user@home:~/.getssl/ $ ./getssl www.domain.com
www.domain.com: no certificate obtained from host
Registering account
Registered
Verify each domain
Verifying www.domain.com
copying challenge token to ssh:user@www.domain.com:/srv/www/domain.com/ssl/UHiO79uDAsN-fJjsndOVEXjmMQ1mAqLJOsasOqwpSIY
Pending
Verified www.domain.com
Verification completed, obtaining certificate.
Certificate saved in /home/user/.getssl/www.domain.com/www.domain.com.crt
The intermediate CA cert is in /home/user/.getssl/www.domain.com/chain.crt
copying domain certificate to ssh:user@www.domain.com:/srv/www/domain.com/ssl/harald.ist.org.crt
copying private key to ssh:hmw@central-dogma.at:/srv/www/domain.com/ssl/harald.ist.org.key
copying CA certificate to ssh:hmw@central-dogma.at:/srv/www/domain.com/ssl/chain.crt
copying full chain to hmw@central-dogma.at:/srv/www/domain.com/ssl/www.domain.com.chain.crt
reloading SSL services
getssl.sh: www.domain.com - certificate obtained
user@home:~/.getssl/ $

Alternate port number with getssl

getssl did not provide an option to set a custom port for ssh, so I had to patch the script. I searched it for calls to scp and ssh and added the according command line switches:

ssh_port=12345   # Hard coded port number at the top of the script
if ! scp -P $ssh_port -q "$from" "${to:4}" >/dev/null 2>&1 ; then
	error_exit "problem copying file to the server using scp.
	scp -P $ssh_port $from ${to:4}"
ssh -p $ssh_port "$sshhost" "${command}" 1>/dev/null 2>&1

On a server, that has ISPConfig installed, I had to comment out "Alias /.well-known/acme-challenge/ /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/" in /etc/apache2/sites-enabled/000-ispconfig.conf in order to get past ISPConfig's stubborness and let everyone access this folder in MY document_root. Users have no access to ISPCongigs' folder!?



Content Management:

μCMS α1.6