As the main developer of IT Hub Brunswick, I created a TLS certificate for the domains www.ithubbs.de and ithubbs.de. In this article, I want to describe this process - mainly for future-me to be able to repeat this in the future. This is not an article about understanding the concepts in detail, it's just an overview.

The players and concepts involved

Until a couple of years ago, creating a TLS certificate has been complicated and with costs. Let's Encrypt is the initiative for generating such certificates easier and for free to enable TLS for websites.

Certificates can be generated in many ways. I use the manual mode that is intended to create a certificate without the possibility to refresh it automatically. Because a certificate is valid for three months and I did not research how to refresh it automatically with my provider All-Inkl, this way works fine for my use-case. If possible and reasonable, automatically refreshing your certificates is the better way.

Generally, a certificate for a certain domain can only be issued if the user proved that he is the owner of this domain. To prove this, there are several ways called challenges. I use the DNS challenge which includes creating a DNS record with a certain value.

Certbot is the tool for creating certificates automatically, the user guide can be found here.

Creating certificates

After installing Certbot (see here), this is how I created my certificates:

user@userlaptop:/blubber# certbot certonly --manual --preferred-challenges dns-01
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): ithubbs.de,www.ithubbs.de
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for ithubbs.de
dns-01 challenge for www.ithubbs.de
 
-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
 
Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: y
 
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.ithubbs.de with the following value:
 
2DYIfZh7Q38VnQuUvsIWJt0QffSJvCnHNOnlEuRimcc
 
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
 
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.www.ithubbs.de with the following value:
 
XZ4EpfkMmkmYMf3SEpiomDASy0ZvvsW8rX7s2YPS4Cc
 
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
 
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/ithubbs.de/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/ithubbs.de/privkey.pem
   Your cert will expire on 2020-01-04. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:
 
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

As you can see above, I created the DNS entries so the certificates could be generated. After login in the KAS (technical management) of my provider All-Inkl, I navigated to Tools -> DNS Settings -> edit your domain -> and added a new entry of type "TXT" for name _acme-challenge and _acme-challenge.www with the data specified above.

After my certificates are created in /etc/letsencrypt/live/ithubbs.de, I uploaded them to the Pivotal SSL Service (the IT hub runs on Pivotal Cloudfoundry). It's important to use the fullchain.pem and privkey.pem.

That's it! :)

Other stuff I found

https://github.com/fetzerch/kasserver: The process above could be automated with this tool. I did not look into this because it's OK for me to create a cert by hand every 3 months.

https://github.com/Neilpang/acme.sh: A shell script for easy creation of free certificates from Let's Encrypt = alternative to the way described in this article. Usage for IT Hub, first read this, then run:

acme.sh --issue --dns -d ithubbs.de -d www.ithubbs.de --yes-I-know-dns-manual-mode-enough-go-ahead-please

acme.sh --renew -d ithubbs.de -d www.ithubbs.de --yes-I-know-dns-manual-mode-enough-go-ahead-please