Mostly Harmless

Mostly about my amusement

Menu Close

Tag: TLS

Wildcard certs via Let’s Encrypt

I just reduced 14 Let's Encrypt certificates down to 2. This is possible because the free service went live for wildcard certs. This has great implications for people who use the WordPress Multisite feature or routinely light up new virtual hosts in the same domain.

You can read Let's Encrypt's understated announcement here.

On my VPS I run Ubuntu 17.10 and it has a version of certbot that you can get from the official repo. Sadly, it's the 0.21 release and wildcard certs need ACME v2 support and that's only in release 0.22 and greater.

Here's what I did

On the command line I cloned cerbot from Github.

git clone https://github.com/certbot/certbot.git
cd certbot
sudo ./certbot-auto

You'll see something like so. On my main box it asked if I'm OK with installing more Python packages. A quick installation of those dependencies and I was ready to go.

Press c to cancel. You want wildcard not single hostname certs. Now type this as one line.

sudo ./certbot-auto certonly --manual --server https://acme-v02.api.letsencrypt.org/directory

The server argument is the important one and points to the new V2 API. I could modify the configuration but I'd have to remember what/where I did that. This is easier for me. Certs generated using the V1 API will work and renew with the new one so there's no worries there. The manual argument prompts you through the steps and ask what domains to use.

Normally this is not a manual process. But for the ACME V2 API, an additional check is required and I don't have a certbot plugin to interface with my DNS provider.

When prompted for the domain name I used "*.dembowski.net dembowski.net" and was instructed to create a DNS TXT record for _acme-challenge.dembowski.net as well as a file in dembowski.net/.well-known/acme-challenge/ with a generated name and content.

If you can put that file on the right web server, if you can update your DNS, then you're considered legitimate. Just make sure you wait for DNS to propagate first before proceeding. You can check if it has (at least for Google) using this link.

I have Namecheap and after a quick visit to that dashboard, I waited for the new TXT record to populate, I created that special file and hit enter.

POOF! My server was validated and the certificates were placed in /etc/letsencrypt and a few minutes later my many hosts were updated to point to that new wildcard cert. I repeated this for my other domain and I'm good.

WordPress Multisite and wildcard certs

If you are running multisite then this simplifies your life tremendously. You can and should have one virtual host for your installation. In my case, they're underneath *.dembowski.net.

In my nginx configuration, I modified the server_name line to add *.dembowski.net and I removed the other vhosts files. They were pointing to the same directory for WordPress and they're not needed anymore.

Less is more. I've been waiting for this since they announced it and lighting up new web server instances while maintaining transport level encryption is such a good thing. Let's Encrypt continues to make the web a more secure place.

Let’s Encrypt is all kinds of awesome

I had some time and did a git pull on the Let’s Encrypt github page. This is a project that makes it easy to install and maintain free X.509 certificates for web servers. The certificates are in PEM format and can be easily used for any server app but usually it’s just for HTTPS on web servers.

Requesting your own certs

The first time I ran the ./letsencrypt-auto command it used apt-get to download its dependencies. The integration with Ubuntu is nice and works well. A few minutes later of some prodding and poking, meaning I read the Let’s Encrypt User Guide, I gave it a shot.

On my VPS I selected blog.epyon-1.com and ran the following command as root.

./letsencrypt-auto certonly --webroot -w /var/www/vhosts/dembowski.net/ -m not@my-email.btw -d blog.epyon-1.com

The site blog.epyon-1.com is on my WordPress network so the directory is the same. The end result of that was to politely create and place these symlinked files.

/etc/letsencrypt/live/blog.epyon-1.com/cert.pem
/etc/letsencrypt/live/blog.epyon-1.com/fullchain.pem
/etc/letsencrypt/live/blog.epyon-1.com/privkey.pem

A quick update to my nginx config for

ssl_certificate /etc/letsencrypt/live/blog.epyon-1.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/blog.epyon-1.com/privkey.pem;

I checked with “nginx -t” and “service nginx restart” and that was it.

Encryption has never been this easy

The certificate is valid for 90 days and is recognized by all browsers.

lets-encrypt-epyon-1.com

To renew it I’ve created a cron job for the first of every month to run this command.

./letsencrypt-auto certonly --webroot -w /var/www/vhosts/dembowski.net/ -m not@my-email.btw -d blog.epyon-1.com -d epyon-1.com --renew

Which is the same command with just --renew added to it. Easy. If you don’t renew the CA will send you a reminder at the email you specified via the “-m not@my-email.btw” command line argument.

I’m not directing the output to /dev/null because if that cronjob works or not I want to see that output. If the cronjob fails then I can always run the command by hand.

Will I switch all my domains to Let’s Encrypt?

Why not? The project is currently in a public beta and the Let’s Encrypt tools will change and continue to be developed. But for the next 90 days the certificate I obtained will work fine. Even better if they automatically renew.

What I am looking for is a reasonable expectation of privacy between my web server and my visitors. I do not use TLS for authentication and the Let’s Encrypt certificates work fine.

If I had an online store then I might consider getting an Extended Validation Certificate but that would be only to reassure visitors when they are making a purchase. EV certs are not cheap. Let’s Encrypt is free so it’s not a hard decision for me to make.

This helps protect the traffic from casual snoopers between my server and your browser. It’s not a magic bullet for security but the wide spread adoption of encryption will help promote privacy.