As the main developer of IT Hub Brunswick, I created a TLS certificate for the domains www.ithubbs.de and ithubbs.de. In this article, I want to describe this process - mainly for future-me to be able to repeat this in the future. This is not an article about understanding the concepts in detail, it’s just an overview.
The Players and Concepts involved
Until a couple of years ago, creating a TLS certificate has been complicated and with costs. Let’s Encrypt is the initiative for generating such certificates easier and for free to enable TLS for websites.
Certificates can be generated in many ways. I use the manual mode that is intended to create a certificate without the possibility to refresh it automatically. Because a certificate is valid for three months and I did not research how to refresh it automatically with my provider All-Inkl, this way works fine for my use-case. If possible and reasonable, automatically refreshing your certificates is the better way.
Generally, a certificate for a certain domain can only be issued if the user proved that he is the owner of this domain. To prove this, there are several ways called challenges. I use the DNS challenge which includes creating a DNS record with a certain value.
Certbot is the tool for creating certificates automatically, the user guide can be found here.
After installing Certbot (see here), this is how I created my certificates:
As you can see above, I created the DNS entries so the certificates could be generated. After login in the KAS (technical management) of my provider All-Inkl, I navigated to Tools -> DNS Settings -> edit your domain -> and added a new entry of type “TXT” for name _acme-challenge and _acme-challenge.www with the data specified above.
After my certificates are created in /etc/letsencrypt/live/ithubbs.de, I uploaded them to the Pivotal SSL Service (the IT hub runs on Pivotal Cloudfoundry). It’s important to use the fullchain.pem and privkey.pem.
https://github.com/Neilpang/acme.sh: A shell script for easy creation of free certificates from Let’s Encrypt = alternative to the way described in this article. Usage for IT Hub, first read this, then run: