Started this as I felt that the standard LetsEncrypt client was way too fat and had too many dependencies to be allowed to run as root. Even though this is all pretty basic stuff, I decided to document it here.

Guide changed to use the security/acme-client

The guide using official LetsEncrypt client can be found at BernardSpil/LetsEncrypt.py
The guide using the LetsEncrypt.sh client can be found at BernardSpil/LetsEncrypt.sh

My first guide used the official LetsEncrypt python client. I found that to be way too fat and had too many dependencies to be allowed to run as root.
My second guide used Lukas Schauer's LetsEncrypt.sh client which only required openssl and either bash or zsh. This is still a good method as it has separated privileged and un-privileged actions.

This latest guide uses acme-client created by Kristaps Dzonsons.

As a proponent of LibreSSL I can't let solutions that use libtls from LibreSSL pass by without trying to use them. I'm the creator and maintainer of the `security/acme-client` port in the FreeBSD ports tree.

Notes

Some notes on the configuration of my setup

  1. All services accessible from the internet run in jails (all jails reside in /usr/jails by default on FreeBSD)

  2. I use LibreSSL as the provider of libcrypto, libssl and libtls on my FreeBSD system. The security/acme-client port depends on LibreSSL.

The acme-client process will be started by root but drops privileges to `nobody` and chroots any action that does not require root privileges. It must run as root to be able to drop privileges and run as an unprivileged user.

Install Letsencrypt.sh

The port is available in the ports tree. Install it using the official pkg repository using

pkg install letsencrypt

or alternatively build your own using [Poudriere](https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ports-poudriere.html) or any of the other building-from-source options and install it. The port works with either security/libressl or security/libressl-devel. If you want to use the newer 2.4 branch of LibreSSL you should add to

/etc/make.conf

DEFAULT_VERSIONS+= ssl:libressl-devel

The FreeBSD ports framework will detect that an OpenSSL/LibreSSL port is installed and then default to depend on the port rather than base. This will hit you if you use portmaster/portupdate or generally build 'in-situ'. You are encouraged to build using poudriere to avoid this.

Configuration will land in /usr/local/etc/letsencrypt. The keys, certificates and certificate-chains will be stored in /usr/local/etc/ssl/letsencrypt by default. You should want to check that the configuration directory is not world-writable. The default directories in /usr/local/etc/ssl will be created with sane access restrictions when you install the port or package.

    /usr/local/etc/
        letsencrypt/
        ssl/
        ssl/letsencrypt/
        ssl/letsencrypt/private/

Prepare directories

To make life easier all of the challenges (LetsEncrypt as well as keybase etc) will be hosted in a shared dir /usr/local/www/.well-known on the jail running my Apache server.

mkdir -pm750 /usr/jails/http/usr/local/www/.well-known

The LetsEncrypt and acme-client bits will land in /usr/local/etc/letsencrypt, the private keys will land in /usr/local/etc/ssl/letsencrypt/private and certificates will land in domain-specific directories in /usr/local/etc/ssl/letsencrypt on the host system. These directories are created by the port/package upon installation apart from the domain-specific certificate directories.

Migration from LetsEncrypt.sh

To migrate from the LetsEncrypt.sh method, copy/move your account key, the domains.txt file and all keys and certs to the new locations. Use the default filename, resolve symlinks to the actual timestamped file. Use the script as an example, yet it should work for the default settings.

migrate.sh

        OLDDIR="/usr/local/etc/letsencrypt.sh"
        NEWDIR="/usr/local/etc/ssl/letsencrypt"
        cp -p /usr/local/etc/letsencrypt{.sh,}/domains.txt}
        cp -p /usr/local/etc/letsencrypt{.sh/private_key.pem,/privkey.pem}
        cat "${OLDDIR}/domains.txt" | while read domain line ; do
           mkdir -pm755 "${NEWDIR}/${domain}"
           cp -L "${OLDDIR}/certs/${domain}/privkey.pem" \
                 "${NEWDIR}/private/${domain}.pem"
           cp -L "${OLDDIR}/certs/${domain}/{cert,chain,fullchain}.pem" \
                 "${NEWDIR}/${domain}/"
        done

Modify Apache configuration

The acme validation will GET a uniquely named file from http://<example.org>/.well-known/acme-challenge/

Access to the .well-known directory is granted in my main Apache config file /usr/local/etc/apache24/httpd.conf

httpd.conf

        <Directory "/usr/local/www/.well-known/">
           Options None
           AllowOverride None
           Require all granted
           Header add Content-Type text/plain
        </Directory>

The Content-Type header was in my configs somewhere, shouldn't hurt.
If you want to only share the ACME challenges you can suffix .well-known/ with acme-challenge/.

Now every (non-ssl) Virtual Host that I have gets a on-line addition

vhosts/domain.conf

        Alias /.well-known/ /usr/local/www/.well-known/

You need to make sure that all (sub-)domains that you want to sign have access to this directory! That includes rewrites etc. The acme validation is done only using plain http and will not honour redirects etc.

acme-client configuration

acme-client works differently from the other clients I've used as it does not use configuration files. Everything is handled passing parameters with values to the command. The intended use-case is a system that hosts a single domain.

I've tried to remain compatible with the LetsEncrypt.sh method using a file that lists domains and using the first (primary) hostname as prefix for the file and directory names. A filename-prefix handling is likely to be added in a future version. This could equally well be done with an inline HERE-document as documented below.

Domains to sign

The script requires a list of domain names you want to have a SAN cert for in the following format:

        example.com www.example.com
        example.net www.example.net wiki.example.net

Domains and sub-domains that are listed on the same line will result in SAN-certificates (Subject-Alternative-Name).
Store this as /usr/local/etc/letsencrypt/domains.txt

Make sure the first item in every line of domains.txt is unique or you'll end up in a real mess!

In-line configuration

If you don't want to use a domains.txt configuration file you can use a different construct to include the list in your /usr/local/etc/letsencrypt/acme-client.sh script (changed lines only).

    ...
    while read domain line ; do
    ...
    done <<ENDOFLIST
    example.com www.example.com
    example.net www.example.net wiki.example.net        
    ENDOFLIST

Configure periodic job

The FreeBSD port contains a periodic(8) script for full automation of your certificate renewal. The periodic script allows using a script for renewals or periodic variables only for a single key/certifcate

To setup periodic to use the script

/etc/periodic.conf

    weekly_acme-client_enable="YES"
    weekly_acme-client_renewscript="/usr/local/etc/letsencrypt/acme-client.sh"
    weekly_acme-client_deployscript="/usr/local/etc/letsencrypt/deploy.sh"

Obviously you can also add your deployment to the renewal script if you would like to.

If you have only one certificate to renew on the machine, then you do so without a script by using periodic variables

/etc/periodic.conf

    weekly_acme-client_enable="YES"
    weekly_acme-client_domains="example.com www.example.com example.net www.example.net"
    weekly_acme-client_challengedir="/usr/jails/http/usr/local/www/.well-known/acme-challenge"
    weekly_acme-client_args="-c /usr/jails/http/usr/local/ssl/certs -p /usr/jails/http/usr/local/ssl/priv"

In stead of using the weekly_acme-client_args you can also use weekly_acme-client_deployscript for your single certificate deployment.

The remainder of this guide assumes you use the weekly_acme-client_renewscript method.

First run

You will probably want to run your LetsEncrypt manually the first time (as root) after you've setup periodic

    /usr/local/etc/periodic/weekly/000.acme-client.sh

You will end up with a sub-directory certs that contains your domains as directories with the Subject-Alternative-Names certs and the corresponding private keys in the private sub-directory.

    /usr/local/etc/ssl/
       certs/example.com/
          cert.pem
          chain.pem
          fullchain.pem
       private/example.com.pem
       certs/example.net/
          cert.pem
          chain.pem
          fullchain.pem
       priv/example.net.pem

Deploy new certs

The port contains a script (/usr/local/etc/letsencrypt/deploy.sh) that you can adapt to your needs.

Here you'll probably need to get creative with scripting. In the host environment, your now have

    /usr/local/etc/ssl/letsencrypt/private/example.net.pem
    /usr/local/etc/ssl/letsencrypt/certs/example.net/fullchain.pem

Example (jailed) applications

Your Apache server may (should?) run in the http jail and you've setup an Apache Virtual Host with

    SSLCertificateFile /etc/ssl/certs/example.net.pem
    SSLCertificateKeyFile /etc/ssl/priv/example.net.pem

and your OpenSMTPd mailserver for example.net in the mail jail

    pki example.net certificate "/etc/ssl/certs/example.net.pem"
    pki example.net key         "/etc/ssl/priv/example.net.pem"
    listen on $lan_addr port 587 tls-require \
           pki example.net hostname example.net auth

Seen from the host environment your certificates actually need to end up in

    /usr/jails/http/etc/ssl
    /usr/jails/mail/etc/ssl

NB: Some applications want a private key, certificate and separate chain instead. If this is the case you'll need to copy cert.pem and chain.pem to the appropriate location instead.


CategoryHowTo

BernardSpil/LetsEncrypt (last edited 2019-01-02T18:47:59+0000 by JuanMolina)