Generating TLS certificates using Certbot manual mode and DNS challenge and setup with All-Inkl


Posted by Steven

As the main developer of IT Hub Brunswick, I created a TLS certificate for the domains www.ithubbs.de and ithubbs.de. In this article, I want to describe this process - mainly for future-me to be able to repeat this in the future. This is not an article about understanding the concepts in detail, it's just an overview.

The players and concepts involved

Until a couple of years ago, creating a TLS certificate has been complicated and with costs. Let's Encrypt is the initiative for generating such certificates easier and for free to enable TLS for websites.

Certificates can be generated in many ways. I use the manual mode that is intended to create a certificate without the possibility to refresh it automatically. Because a certificate is valid for three months and I did not research how to refresh it automatically with my provider All-Inkl, this way works fine for my use-case. If possible and reasonable, automatically refreshing your certificates is the better way.

Generally, a certificate for a certain domain can only be issued if the user proved that he is the owner of this domain. To prove this, there are several ways called challenges. I use the DNS challenge which includes creating a DNS record with a certain value.

Certbot is the tool for creating certificates automatically, the user guide can be found here.

Creating certificates

After installing Certbot (see here), this is how I created my certificates:

  1. user@userlaptop:/blubber# certbot certonly --manual --preferred-challenges dns-01
  2. Saving debug log to /var/log/letsencrypt/letsencrypt.log
  3. Plugins selected: Authenticator manual, Installer None
  4. Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
  5. Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
  6. to cancel): ithubbs.de,www.ithubbs.de
  7. Obtaining a new certificate
  8. Performing the following challenges:
  9. dns-01 challenge for ithubbs.de
  10. dns-01 challenge for www.ithubbs.de
  11.  
  12. -------------------------------------------------------------------------------
  13. NOTE: The IP of this machine will be publicly logged as having requested this
  14. certificate. If you're running certbot in manual mode on a machine that is not
  15. your server, please ensure you're okay with that.
  16.  
  17. Are you OK with your IP being logged?
  18. -------------------------------------------------------------------------------
  19. (Y)es/(N)o: y
  20.  
  21. -------------------------------------------------------------------------------
  22. Please deploy a DNS TXT record under the name
  23. _acme-challenge.ithubbs.de with the following value:
  24.  
  25. 2DYIfZh7Q38VnQuUvsIWJt0QffSJvCnHNOnlEuRimcc
  26.  
  27. Before continuing, verify the record is deployed.
  28. -------------------------------------------------------------------------------
  29. Press Enter to Continue
  30.  
  31. -------------------------------------------------------------------------------
  32. Please deploy a DNS TXT record under the name
  33. _acme-challenge.www.ithubbs.de with the following value:
  34.  
  35. XZ4EpfkMmkmYMf3SEpiomDASy0ZvvsW8rX7s2YPS4Cc
  36.  
  37. Before continuing, verify the record is deployed.
  38. -------------------------------------------------------------------------------
  39. Press Enter to Continue
  40. Waiting for verification...
  41. Cleaning up challenges
  42.  
  43. IMPORTANT NOTES:
  44. - Congratulations! Your certificate and chain have been saved at:
  45. /etc/letsencrypt/live/ithubbs.de/fullchain.pem
  46. Your key file has been saved at:
  47. /etc/letsencrypt/live/ithubbs.de/privkey.pem
  48. Your cert will expire on 2020-01-04. To obtain a new or tweaked
  49. version of this certificate in the future, simply run certbot
  50. again. To non-interactively renew *all* of your certificates, run
  51. "certbot renew"
  52. - If you like Certbot, please consider supporting our work by:
  53.  
  54. Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
  55. Donating to EFF: https://eff.org/donate-le

As you can see above, I created the DNS entries so the certificates could be generated. After login in the KAS (technical management) of my provider All-Inkl, I navigated to Tools -> DNS Settings -> edit your domain -> and added a new entry of type "TXT" for name _acme-challenge and _acme-challenge.www with the data specified above.

After my certificates are created in /etc/letsencrypt/live/ithubbs.de, I uploaded them to the Pivotal SSL Service (the IT hub runs on Pivotal Cloudfoundry). It's important to use the fullchain.pem and privkey.pem.

That's it! :)

Other stuff I found

https://github.com/fetzerch/kasserver: The process above could be automated with this tool. I did not look into this because it's OK for me to create a cert by hand every 3 months.

https://github.com/Neilpang/acme.sh: A shell script for easy creation of free certificates from Let's Encrypt = alternative to the way described in this article. Usage for IT Hub, first read this, then run:

acme.sh --issue --dns -d ithubbs.de -d www.ithubbs.de --yes-I-know-dns-manual-mode-enough-go-ahead-please

acme.sh --renew -d ithubbs.de -d www.ithubbs.de --yes-I-know-dns-manual-mode-enough-go-ahead-please

Category: 
Share: