Thursday, November 24, 2016

Let's Encrypt on RHEL 6.8

It's been almost 3 years since I've last posted in this blog. 2016 is almost over. I think I should make it a point to post regularly.

Anyway, I'd like to share something interesting. There's a certificate authority called Let's Encrypt that gives free certificates through an automated process. According to their website, they have a Python script called Certbot that fetches the certificates and updates your web server's configuration for you.

Usually, I just use StartSSL for project prototypes or paid certificates on production websites, so I'm pretty late on discovering this.

I'm currently tasked on setting up a server here in my work. The goal is to let others send information towards this server and automate the process of setting up PowerMTA configuration based on this information. The most straightforward and relatively secure way to do this is over HTTPS.

Problem: The particular server that I'm working on runs on Red Hat Enterprise Linux 6.8, and Certbot needs updated Python packages to run. After a couple of attempts to solve this, I realized that it's a lost cause so I abandoned it and looked for a more lightweight solution with little dependencies. The best client that I've found so far is GetSSL. It's a straightforward bash script, and I like it!

The server that I'm working on runs on Apache, but I can't find any step-by-step documentation on how to use GetSSL with Apache. Thus, I decided to make one.

First, download GetSSL to your box:

# curl --silent https://raw.githubusercontent.com/srvrco/getssl/master/getssl > getssl

# chmod 700 getssl

Then, generate the default config files:

# ./getssl -c example.org

Making domain directory - /root/.getssl/example.org
creating domain config file in /root/.getssl/example.org/getssl.cfg

Edit the global config at: ~/.getssl/getssl.cfg. Pay particular attention to the following line:

RELOAD_CMD="service httpd reload"


Depending on your system, it can be service apache2 reload or something similar. Update as necessary.

Then, edit the domain config at: ~/.getssl/example.org/getssl.cfg and insert the following lines:



SANS=www.example.org
DOMAIN_CERT_LOCATION="/etc/httpd/getssl/example.org.crt"
DOMAIN_KEY_LOCATION="/etc/httpd/getssl/example.org.key"
DOMAIN_CHAIN_LOCATION="/etc/httpd/getssl/example.org-chain.crt"
CA_CERT_LOCATION="/etc/httpd/getssl/le.crt"
SERVER_TYPE="https"
CHECK_REMOTE="true"
ACL=('/var/www/.well-known/acme-challenge'
     '/var/www/.well-known/acme-challenge')

Adjust the paths as necessary.

The ACL variable above is the path for the Automatic Certificate Management Environment (ACME) challenge. It should point to a folder inside your web server's document root and should be accessible to the public via HTTP. The ACME challenge is used to prove that you control the web server.

Finally, edit the Apache config and insert this in your SSL section:


SSLCertificateFile /etc/httpd/getssl/example.org-chain.crt
SSLCertificateKeyFile /etc/httpd/getssl/example.org.key
SSLCACertificateFile /etc/httpd/getssl/le.crt
Let's Encrypt's certificate expires every 90 days, so you need to update your crontab to automatically renew your certificate:

# crontab -e

Insert the following line in the crontab:

0 0 * * * /path/to/getssl -u -a -q

Save your changes and apply your changes:

service httpd reload

If everything is OK, go back to your global config at ~/.getssl/getssl.cfg and uncomment the following line to use the non-staging server:

CA="https://acme-v01.api.letsencrypt.org"

Then, reload Apache again:

service httpd reload

That's it! Your web server is now running HTTPS. This won't really protect you from being particularly targeted by the NSA (there was a couple of state-sponsored attacks on certificate authorities), but the goal is to make broad mass-surveillance uneconomical. Just leave a comment if I missed some steps. Enjoy, and encrypt all the things!

No comments: