[Tutorial]Enabling HTTPS With LetsEncrypt
I got tired of the errors from a self-signed certificate and started a project to try and get an HTTPS certificate from Letsencrypt (its free!) working for Ubooquity. Thought I'd share my results and method if anyone else wants to give it a shot. I started with this post here and modified his script to suit my needs. http://blog.ivantichy.cz/blogpost/view/74
A few caveats...
- If your domain is a sub domain on a popular domain, there is a good chance you won't be able to get a certificate, as they are distributed in limited quantities per domain.
- You can't have a service running on port 9999
- If you are running the server at home, your ISP can't be blocking port 443 (used to verify ownership of the domain)
I'm running Ubooquity on Ubuntu Server 14.04.3 LTS, Your mileage may vary with other distros. You'll need some basic terminal skills and sudo.
First, you'll need to install Letsencrypt
#Install Git if needed apt-get install git #Create a directory for Letsencrypt mkdir /opt/letsencrypt cd /opt git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt
You'll may need to edit a file (I did) in /letsencrypt to account for Ubuntu having an older version of Python in the repository. See this post for more info...
https://community.letsencrypt.org/t/insecureplatformwarning-on-ubuntu-14-04-w-python-2-7-6/2871/3
Once this prereqs are done, here is the script you'll need to run. It won't work out of the box so make sure you read the comments and update the info as needed.
Create a script, set it to executable, and paste this in with your preferred editor.
#!/bin/bash #Original author Ivan Tichy - Original http://blog.ivantichy.cz/blogpost/view/74 -- Updated for Ubooquity by Salty #Please modify these values according to your environment certdir=/etc/letsencrypt/live/yourdomain.com/ #just replace the domain name after /live/ keytooldir=/usr/lib/jvm/java-7-openjdk-amd64/jre/bin/ #java keytool located in jre/bin (see this post if you need help finding this dir http://ubuntuforums.org/showthread.php?t=1054731&p=6643281#post6643281 ) letsencryptdir=/opt/letsencrypt/ #letsencrypt directory here mydomain=yourdomain.com #put your domain name here myemail=your@email.com #your email networkdevice=eth0 #your network device (run ifconfig to get the name) keystoredir=/home/salty/.keystore #located in home dir of user running Ubooquity keystorepass=yoursuperstrongpassword #the password for your keystore #the script itself: cd /opt/letsencrypt #the location of your letsencrypt install git pull origin master #update letsencrypt with the latest files #this temporarily reroutes your traffic to port 443 to port 9999 for the domain ownership test letsencrypt does. #it keeps you from having to shut down Ubooq service iptables -I INPUT -p tcp -m tcp --dport 9999 -j ACCEPT iptables -t nat -I PREROUTING -i $networkdevice -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 9999 #Leave the top one uncommented for testing, it creates fake certs and won't count against the certificate limit from letsencrypt. #Comment out top one and uncomment second command when ready to generate real cert $letsencryptdir/letsencrypt-auto certonly --verbose --standalone --test-cert --break-my-certs -d $mydomain --standalone-supported-challenges tls-sni-01 --tls-sni-01-port 9999 --renew-by-default --email $myemail --agree-tos #$letsencryptdir/letsencrypt-auto certonly --standalone -d $mydomain --standalone-supported-challenges tls-sni-01 --tls-sni-01-port 9999 --renew-by-default --email $myemail --agree-tos #deletes rerouting rule iptables -t nat -D PREROUTING -i $networkdevice -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 9999 iptables -D INPUT -p tcp -m tcp --dport 9999 -j ACCEPT #deletes any previous JKS keys $keytooldir/keytool -delete -alias root -storepass $keystorepass -keystore $keystoredir/ubooq_key.jks $keytooldir/keytool -delete -alias ubooq_key -storepass $keystorepass -keystore $keystoredir/ubooq_key.jks #builds a usable keystore from the CA provided by letsencrypt openssl pkcs12 -export -in $certdir/fullchain.pem -inkey $certdir/privkey.pem -out $certdir/cert_and_key.p12 -name ubooq_key -CAfile $certdir/chain.pem -caname root -password pass:aaa $keytooldir/keytool -importkeystore -srcstorepass aaa -deststorepass $keystorepass -destkeypass $keystorepass -srckeystore $certdir/cert_and_key.p12 -srcstoretype PKCS12 -alias ubooq_key -keystore $keystoredir/ubooq_key.jks $keytooldir/keytool -import -trustcacerts -alias root -deststorepass $keystorepass -file $certdir/chain.pem -noprompt -keystore $keystoredir/ubooq_key.jks
Run the script, do whatever tweaking you need, then when you are generating a good fake cert and keystore, swap the commented out lines in the middle and generate your real certificate and keystore. Add the keystore and password to Ubooquity using the admin web interface and you should be good to go. Afterwards, you can add this to a cron job to re-up your certificate when it expires. GLHF!
Customer support service by UserEcho
Very, very nice !
I was interested in using Let's Encrypt with Ubooquity but was kind of put off by the relative complexity of the procedure.
This will help a lot, thanks !
If you don't mind, I might include this tutorial in the documentation sometime.
Awesome, glad you like it. Feel free to include this wherever you like.
I made reverse proxy via HTTPS. Nginx works fine.
Excellent write up, Salty! This all looks familiar because I incorporated Let's Encrypt certificates in to my company's server this week.
I've been waiting for Let's Encrypt for a long time. I'm happy you were able to get it working on your machine!
Edit: oh crap! Reading through your script I think I see a way to get a certificate for a stand-alone service on my work server. You've inadvertently helped me in a work problem. ;)
That's great!
I ended up running Let's Encrypt manually via PowerShell (I'm on Windows). I have the following files:
.crt, .crt.pem, .csr.pem, .key.pem, .pfx
I've been trying to figure out how to modify the steps at the end to import the cert into the keystore and not sure what to do if I don't already have a keystore created. Also, are the 'openssl' steps required or can I just import the pfx into a new keystore?
Figured it out. In case anyone else searches for how to use Let's Encrypt under Windows:
1. Follow the steps to install, create and obtain your cert from Let's Encrypt from this page (Note: I used the PowerShell method. It's manual and a little more flexible in the way it works. You'll understand once you dig in.)
https://github.com/ebekker/ACMESharp/wiki/Quick-Start
2. Once you've obtained your .pfx file, run this command (must be JDK 1.6 or later...I am running JRE 1.8.0_77 and it worked fine):
keytool.exe -importkeystore -srckeystore "c:\pathtoyurcert\cert.pfx" -srcstoretype pkcs12 -destkeystore "c:pathtoyourjks\cert.jks" -deststoretype JKS
3. Enter the path to your .jks file and the keystore password and restart the server
Note: When you export the .pfx file, you will be asked for a keystore password. Make sure you remember it. When you run the keytool command above, it will ask you for the destination keystore password (you don't have one, so make one up) and the source keystore password, which you set in step 2.
One more note: the caveats that Salty pointed out still apply, however if you are using the manual dns-01 steps as I did, you will need the ability to add a TXT resource record to your DNS.
Best of luck!
Great addition, very nice! I'm pretty useless on the Windows side of things, lol.
Can any kind soul with synology please enlighten on where dsm 6.0 stores the letsencrypt certs generated from the Gui so that I do not need to install another instance of letsencrypt? I can then update the script to generate keystore.jks
Searched a bit but didn't find it.
But couldn't we also simply export the cert via the DSM GUI and then place it where we need it?
I wanted to create a script that points to the location of the letsencrypt cert and convert it to jks, It saves me the trouble of manually exporting it every 3 months and converting it to jks and place it inside ubooquity as the cert expires every 3 months. Any ideas on how I could do that with a script?
Unfortunately I don't : (
I tempted to try to automate certificate management using Acme4J.
I don't know when or even if I'll do it, but manually managing certificates sure is painful.
- the Let's Encyrpt certifications are stored in a folder that has a random name meaning hardcoding paths that may/may not change (e.g. /usr/syno/etc/certificate/_archive/Y2mWTD/privkey.pem)
I need https to be enable to fix the iOS bug. The problem is I'm not a coder and I running it on my regular Windows PC not a server. I understand this thread but this aint gonna cut it for me LOL
It there any way to simplify this ?
I have plans to add Let's Encrypt support out of the box, as the current procedure is a bit complex (especially when you have to run it every three months).
But don't expect it this year.
I'd almost rather ubooquity just supported pkcs12 or pem format certs than do all that..
Run it every 3 months? Dude I feel for you!! Thanks for the amazing job you've done so far and I'll just have to geek out and learn some shit for myself lol
3 months is the maximum duration of Letsencrypt certificates.
They use a short period to encourage automation. It's working ;)
(at least when the integration will be done)
I know this is old but I wrote a couple scripts a while ago to do the conversion for me.. here's the important one for p12 to jks https://gist.github.com/cvockrodt/77d4089f326563d830c0fa5aa651fa76. I have this run in a post hook on certbot renew