Tools

    Generating TLS Certificates using Certbot manual Mode and DNS Challenge and Setup with all-inkl

    Steven Schwenke

    As the main developer of IT Hub Brunswick, I created a TLS certificate for the domains www.ithubbs.de and ithubbs.de. In this article, I want to describe this process - mainly for future-me to be able to repeat this in the future. This is not an article about understanding the concepts in detail, it’s just an overview.

    The Players and Concepts involved

    Until a couple of years ago, creating a TLS certificate has been complicated and with costs. Let’s Encrypt is the initiative for generating such certificates easier and for free to enable TLS for websites.

    Certificates can be generated in many ways. I use the manual mode that is intended to create a certificate without the possibility to refresh it automatically. Because a certificate is valid for three months and I did not research how to refresh it automatically with my provider All-Inkl, this way works fine for my use-case. If possible and reasonable, automatically refreshing your certificates is the better way.

    Generally, a certificate for a certain domain can only be issued if the user proved that he is the owner of this domain. To prove this, there are several ways called challenges. I use the DNS challenge which includes creating a DNS record with a certain value.

    Certbot is the tool for creating certificates automatically, the user guide can be found here.

    Creating Certificates

    After installing Certbot (see here), this is how I created my certificates:

    user@userlaptop:/blubber# certbot certonly --manual --preferred-challenges dns-01
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): ithubbs.de,www.ithubbs.de
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for ithubbs.de
dns-01 challenge for www.ithubbs.de
 
-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
 
Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: y
 
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.ithubbs.de with the following value:
 
2DYIfZh7Q38VnQuUvsIWJt0QffSJvCnHNOnlEuRimcc
 
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
 
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.www.ithubbs.de with the following value:
 
XZ4EpfkMmkmYMf3SEpiomDASy0ZvvsW8rX7s2YPS4Cc
 
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
 
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/ithubbs.de/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/ithubbs.de/privkey.pem
   Your cert will expire on 2020-01-04. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:
 
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

    As you can see above, I created the DNS entries so the certificates could be generated. After login in the KAS (technical management) of my provider All-Inkl, I navigated to Tools -> DNS Settings -> edit your domain -> and added a new entry of type “TXT” for name _acme-challenge and _acme-challenge.www with the data specified above.

    After my certificates are created in /etc/letsencrypt/live/ithubbs.de, I uploaded them to the Pivotal SSL Service (the IT hub runs on Pivotal Cloudfoundry). It’s important to use the fullchain.pem and privkey.pem.

    That’s it! :)

    Other Stuff I found

    https://github.com/fetzerch/kasserver: The process above could be automated with this tool. I did not look into this because it’s OK for me to create a cert by hand every 3 months.

    https://github.com/Neilpang/acme.sh: A shell script for easy creation of free certificates from Let’s Encrypt = alternative to the way described in this article. Usage for IT Hub, first read this, then run:

    acme.sh --issue --dns -d ithubbs.de -d www.ithubbs.de --yes-I-know-dns-manual-mode-enough-go-ahead-please
    acme.sh --renew -d ithubbs.de -d www.ithubbs.de --yes-I-know-dns-manual-mode-enough-go-ahead-please

    About Me

    My Name is Steven Schwenke. I am a passionate software craftsman and love to share my experiences.

    Tags

    AWS Academic Studies Books Cloud Crypto Developer on the Stage Events Java JavaFX Maintenance Monthly Lessons Learned Project Management Project Mangement Self-Improvement Software Architecture Software Craftsmanship Software Engineering Speaking Spring Testing Tools Web Development

    Recent Posts

    1
    My First Week in Mastodon
    2
    Using Meta-Annotations in Spring MVC Controllers
    3
    Lessons Learned and News in September 2022

    Subscribe to the Newsletter