Blog » Herbert Poul's Personal Blog » Finally switching to HTTPS thanks to letsencrypt

Finally switching to HTTPS thanks to letsencrypt

2018-08-05 15:14:45

Thanks to letsencrypt it got way too easy to switch to a secure website, I ran out of excuses. So now, in all it's glory https://herbert.poul.at with a green lock, isn't that amazing? ;-)



It also only involved some small docker, DNS and certbot magic to get it all going. The hardest part was understanding that to use bind9 you would have to use the rfc2136 plugin. everything else is really well documented. Check out their documentation it's really well documented but it boils down to:

1. Configure a key to allow TXT dns changes



  update-policy {
    grant letsencrypt.key name _acme-challenge.poul.at. txt;
  };


(and make sure that your slave DNS are notified of changes)

2. Getting the certificate



Since I hate bloating my servers with software, I didn't like the thought of installing additional tools for certbot. But luckily, they have nice docker builds, so nothing is required, except docker. Which, luckily, I am already using exstensively. So I just created a little script: 

docker run -it --rm \
    --name certbot \
    -v "`pwd`/etc/letsencrypt:/etc/letsencrypt" \
    -v "`pwd`/var/lib/letsencrypt:/var/lib/letsencrypt" \
    -v "`pwd`/var/log:/var/log" \
    -v "`pwd`/secret:/secret" \
    certbot/dns-rfc2136 certonly \
    --dns-rfc2136 \
    --dns-rfc2136-credentials /secret/rfc2136.ini \
    -d '*.poul.at'


3. Getting certificates to nginx



Now that the certificates are in etc/letsencrypt i just use rsync to copy them to the web server, and i'm ready to go.

The only thing to keep in mind are file permissions. certbot will create them only readable by root. But I don't really like logging into other systems as root, so permissions are not correctly synced by the default rsync setup, so i'm using --chmod option. 

rsync -e "$SSH" -a --chmod=go-rwx etc/ $USER@$PROXY:letsencrypt-etc/

$SSH $USER@$PROXY sudo /etc/init.d/nginx reload


4. nginx



That's again very well documented and easy to do. (no surprises there) 

server {
  server_name herbert.poul.at;
  return 301 https://herbert.poul.at$request_uri;
}

server {
  listen 192.168.9.5:443 spdy;
  server_name herbert.poul.at;

  ssl on;
  ssl_certificate XXX/letsencrypt-etc/letsencrypt/live/poul.at/fullchain.pem;
  ssl_certificate_key XXX/letsencrypt-etc/letsencrypt/live/poul.at/privkey.pem;
Hey, we have Signatures !!! Great, isn't it ? ;)

Posted by Herbert Poul

Assigned Tags:

0 Comments

Attachments: Screen_Shot_2018-08-05_at_15.03.22.png (39.0 KB)

Please login to post a reply.

Personal website and blog of Herbert Poul. Also check out my Photo Gallery.




Herby's Photo Gallery

Subscriptions

User

You are not logged in.
Login
Register