Lets Encrypt

Overview

Let's Encrypt is a free certificate authority. It allows to issue TLS (HTTPS) certificate for any website. If you need in depth introduction to this topic please refer to docs. Let's Encrypt Documentation

In this documentation we present basic architecture for generating a certificate for your domains over HTTP challenge. There are also other methods of authentication LIKE DNS challenge which allows to create wildcard certificates for non www. sites.

Legal information

Let's encrypt, LEGO, Certbot are not owned or developed by GSD-Software. Our documentation is only a rough concept of basic environment that can be used to generate valid certificates. If you have any problem with the software mentioned above please refer to the official documentation.

Requirements

  • Opened port 80
  • Proxy server [nginx/apache/GSDProxy]
  • Possibility to schedule tasks (Windows: scheduler, Unix: cron)

How to use

Disclaimer

This documentation does not go into details, may contain simplified terminology and have minor discrepancies towards official documentation. In order to get full scope of information, please check Let's Encrypt Documentation

Here is the architecture you can refer to when you want to introduce let's encrypt certificates in your company.

Screenshot

We use most common way of authenticating domain owner which is HTTP request. We recommend using LEGO as the let's encrypt certificate request service, it's open source and cross platform application. You can download it here: LEGO Executables

In order to get certificate you should have :80 port opened and redirect request which contains "/.well-known" path to the LEGO.

For first use of lego you must request new certificate. You can do it by running following command in your console (cmd.exe or linux shell).

lego --email="foo@bar.com" --domains="example.com" --http run

Port 80

This command will bind on port 80 which requires proper permissions. It may also collide with your proxy server. You can change default port on which LEGO binds by using --http.port {YOUR DESIRED PORT} parameter. Remember that you must forward HTTP connection to this port in your proxy application.

After running this command, LEGO will ask let's encrypt servers to check if you are the owner of such domain. To do so, the authority will try to make request to your domain on example.com/.well-known. Your proxy must forward this request to LEGO which will return validation token. If this workflow runs properly valid certificates will be saved under .lego directory in working directory.

Here is how this process looks like

Screenshot

Full size image

Renew certificate

Your newly created certificate is valid for 90 days. Let's encrypt allows to renew the certificate 30 days before the expiration date. You can renew your cert by running lego --email="foo@bar.com" --domains="example.com" --http renew command.

Because this process is repeatable you should automate it.

Windows

Here is the basic *.bat script you can begin from.

1
2
3
CD /<your drive letter> <full path to GSD application>
START <path to lego>/lego.exe --email="<your email>" --domains="<your domain>" --http renew
NET stop <service name> && NET start <service name>

Save this script as *.bat file, change the variables then add it to monthly schedule in Windows Scheduler.

Linux

Running renew command on linux requires cron to be installed. Then create following script:

1
2
3
cd "<full path to GSD application>"
<path to lego>/lego --email="<your email>" --domains="<your domain>" --http renew
supervisorctl restart "<service name>"

save it and add permissions for executing chmod a+x <path to your script>.

Now you can add following rules to cron, run sudo crontab -e and add following entry:

0 0 1 */2 * <path to your script>

where 0 0 1 */2 * means -> At 00:00 on day-of-month 1 in every 2nd month.