You are here
Generating TLS certificates using Certbot manual mode and DNS challenge and setup with All-Inkl
As the main developer of IT Hub Brunswick, I created a TLS certificate for the domains www.ithubbs.de and ithubbs.de. In this article, I want to describe this process - mainly for future-me to be able to repeat this in the future. This is not an article about understanding the concepts in detail, it's just an overview.
The players and concepts involved
Until a couple of years ago, creating a TLS certificate has been complicated and with costs. Let's Encrypt is the initiative for generating such certificates easier and for free to enable TLS for websites.
Certificates can be generated in many ways. I use the manual mode that is intended to create a certificate without the possibility to refresh it automatically. Because a certificate is valid for three months and I did not research how to refresh it automatically with my provider All-Inkl, this way works fine for my use-case. If possible and reasonable, automatically refreshing your certificates is the better way.
Generally, a certificate for a certain domain can only be issued if the user proved that he is the owner of this domain. To prove this, there are several ways called challenges. I use the DNS challenge which includes creating a DNS record with a certain value.
Certbot is the tool for creating certificates automatically, the user guide can be found here.
Creating certificates
After installing Certbot (see here), this is how I created my certificates:
user@userlaptop:/blubber# certbot certonly --manual --preferred-challenges dns-01 Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): ithubbs.de,www.ithubbs.de Obtaining a new certificate Performing the following challenges: dns-01 challenge for ithubbs.de dns-01 challenge for www.ithubbs.de ------------------------------------------------------------------------------- NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? ------------------------------------------------------------------------------- (Y)es/(N)o: y ------------------------------------------------------------------------------- Please deploy a DNS TXT record under the name _acme-challenge.ithubbs.de with the following value: 2DYIfZh7Q38VnQuUvsIWJt0QffSJvCnHNOnlEuRimcc Before continuing, verify the record is deployed. ------------------------------------------------------------------------------- Press Enter to Continue ------------------------------------------------------------------------------- Please deploy a DNS TXT record under the name _acme-challenge.www.ithubbs.de with the following value: XZ4EpfkMmkmYMf3SEpiomDASy0ZvvsW8rX7s2YPS4Cc Before continuing, verify the record is deployed. ------------------------------------------------------------------------------- Press Enter to Continue Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/ithubbs.de/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/ithubbs.de/privkey.pem Your cert will expire on 2020-01-04. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
As you can see above, I created the DNS entries so the certificates could be generated. After login in the KAS (technical management) of my provider All-Inkl, I navigated to Tools -> DNS Settings -> edit your domain -> and added a new entry of type "TXT" for name _acme-challenge and _acme-challenge.www with the data specified above.
After my certificates are created in /etc/letsencrypt/live/ithubbs.de, I uploaded them to the Pivotal SSL Service (the IT hub runs on Pivotal Cloudfoundry). It's important to use the fullchain.pem and privkey.pem.
That's it! :)
Other stuff I found
https://github.com/fetzerch/kasserver: The process above could be automated with this tool. I did not look into this because it's OK for me to create a cert by hand every 3 months.
https://github.com/Neilpang/acme.sh: A shell script for easy creation of free certificates from Let's Encrypt = alternative to the way described in this article. Usage for IT Hub, first read this, then run:
acme.sh --issue --dns -d ithubbs.de -d www.ithubbs.de --yes-I-know-dns-manual-mode-enough-go-ahead-please
acme.sh --renew -d ithubbs.de -d www.ithubbs.de --yes-I-know-dns-manual-mode-enough-go-ahead-please