The official
Let's Encryptclient,
certbotis, as the elementary school saying goes, “stoopid and has lice on brain”. A sane client,
dehydrated, exists but it sadly does no automation at all. So here's a list of steps you need to do.
Install it:
# apt install dehydrated dehydrated-apache2
Required global config: put into
/etc/dehydrated/conf.d/global.sh; PRIVATE_KEY_RENEW is required for cert fingerprint stability for TLSA.
CONTACT_EMAIL=your.email@address.xyz
PRIVATE_KEY_RENEW=no
Put the list of certificates to obtain: one cert per line, list all
alternate domain names for that site; into /etc/dehydrated/domains.txt.
example.org www.example.org
my-mirror.xyz www.my-mirror.xyz ftp.my-mirror.xyz http.my-mirror.xyz
Run it manually once:
# dehydrated -c
If you run a daemon that drops privileges early but is setgid, do:
[~]# addgroup --system ssl-cert [~]# cd /var/lib/dehydrated [/var/lib/dehydrated]# chown root:ssl-cert certs certs/* certs/*/*.pem [/var/lib/dehydrated]# chmod g+x certs certs/* [/var/lib/dehydrated]# chmod g+r certs/*/*.pemAnd to reset the permissions on renewals, you need the following in your hook script:
function deploy_cert {
local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"
chown root:ssl-cert "$KEYFILE" "$CERTFILE" "$FULLCHAINFILE" "$CHAINFILE"
chmod g+r "$KEYFILE" "$CERTFILE" "$FULLCHAINFILE" "$CHAINFILE"
}
If you have no hook script yet, copy it from
/usr/share/doc/dehydrated/examples/hook.shto a location not in conf.d (
/etc/dehydrated/hook.shis fine), and put
HOOK=/etc/dehydrated/hook.shinto a config file.
Do the actual per-daemon configuration; for example Apache:
SSLCertificateFile /var/lib/dehydrated/certs/example.org/fullchain.pem SSLCertificateKeyFile /var/lib/dehydrated/certs/example.org/privkey.pem SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLHonorCipherOrder on SSLCompression off SSLOptions +StrictRequireReload the daemon, test!
DANE/TLSA is important. Less so for https where the CA mafia managed
to keep it down, thus we need to put up with some “solutions” that are
outright harmful, like HSTS. More for SMTP where it actually sees
some deployment and support in server software. Obviously, this provides
less security if you don't use DNSSEC, but is still better than using only
CAs.
Calculate the digest:
# openssl x509 -in cert.pem -noout -pubkey|openssl pkey -pubin -outform DER|openssl dgst -sha256|cut -d' ' -f2
Put the calculated digest as a TLSA 3 1 1entry in your DNS zone:
_443._tcp IN TLSA 3 1 1 0a98762f9299ac2963cdf3977a70a617a3f8d3a8cdaf1f0c3ab82ff82cbe71a2
Same for SMTP, IMAP and what else:
_25._tcp IN TLSA 3 1 1 0a98762f9299ac2963cdf3977a70a617a3f8d3a8cdaf1f0c3ab82ff82cbe71a2 _993._tcp IN TLSA 3 1 1 0a98762f9299ac2963cdf3977a70a617a3f8d3a8cdaf1f0c3ab82ff82cbe71a2While we're here, also say other CAs are not authorized to issue certs for you:
@ IN CAA 0 issue "letsencrypt.org"
The certs are valid only for 90 days, you need to make a cronjob to renew
them:
# crontab -e
@daily /usr/bin/dehydrated -c >/dev/null(It will do nothing if the cert isn't close to expiration.)