summaryrefslogtreecommitdiff
path: root/blog/2017/just-add-water.rst
diff options
context:
space:
mode:
authorDirk Engling <erdgeist@erdgeist.org>2018-06-14 21:19:47 +0200
committerDirk Engling <erdgeist@erdgeist.org>2018-06-14 21:19:47 +0200
commit4e7b4db2e70deb665e63cc49d0623fc8430e6aaf (patch)
tree1a00bbe7c62b787a87400486a0a25dab2f3b535e /blog/2017/just-add-water.rst
parent2d1b713a523ffbe5d9a29e36266cf9af8b852ad3 (diff)
Changes from the last two years
Diffstat (limited to 'blog/2017/just-add-water.rst')
-rw-r--r--blog/2017/just-add-water.rst100
1 files changed, 100 insertions, 0 deletions
diff --git a/blog/2017/just-add-water.rst b/blog/2017/just-add-water.rst
new file mode 100644
index 0000000..719dc6b
--- /dev/null
+++ b/blog/2017/just-add-water.rst
@@ -0,0 +1,100 @@
1.. date: 2017/08/24 19:07
2.. title: Just add water
3
4Since `letsencrypt <https://letsencrypt.org/>`_ has made it easy to actually get the little green lock icon in all the browser, I've deployed it nearly everwhere, where reloading keys every three months is not an issue (looking at you, dovecot and ejabberd). When using FreeBSD, the `security/dehydrated <http://www.freshports.org/security/dehydrated>`_ port has made things smooth enough for me not to be to afraid to execute it from a periodic script: It only requires bash and curl and can be executed as non-privileged user.
5
6So here's a step by step instruction how to properly set it up:
7
8#. Install the port/package::
9
10 pkg install dehydrated
11
12#. Create the letsencrypt user, for example::
13
14 echo letsencrypt::::::::/bin/sh: | adduser -w random -f -
15
16#. Create your config copy ``/usr/local/etc/dehydrated/config`` by duplicating the example::
17
18 cp /usr/local/etc/dehydrated/config.example /usr/local/etc/dehydrated/config
19
20#. Edit ``/usr/local/etc/dehydrated/config`` so it reads ``CONTACT_EMAIL=me@foo.com``. (Don't forget to remove the # at the line's start.)
21
22#. By default, dehydrated's work dir is ``/usr/local/etc/dehydrated``. I do not like that, because the letsencrypt user needs write access to that directory for its housekeeping files and could modify things like the config and – worse – the ``deploy.sh`` script. So I create a different work dir::
23
24 mkdir /var/dehydrated
25 chown -R letsencrypt /var/dehydrated
26
27#. And then I change ``/usr/local/etc/dehydrated/config`` to read ``BASEDIR=/var/dehydrated``. (Again, don't forget to un-comment the line.)
28
29#. The web directory for challenge replies defaults to ``/usr/local/www/dehydrated``. It needs to be writable by letsencrypt user::
30
31 chown -R letsencrypt /usr/local/www/dehydrated
32
33#. Configure domains.txt::
34
35 echo 'foo.com www.foo.com' > /var/dehydrated/domains.txt
36
37#. I want dehydrated to be run weekly by periodic, I also setup the deploy script (see below). I put those lines in ``/etc/periodic.conf``::
38
39 weekly_dehydrated_enable="YES"
40 weekly_dehydrated_user="letsencrypt"
41 weekly_dehydrated_deployscript="/usr/local/etc/dehydrated/deploy.sh"
42
43#. The deploy.sh script needs to be setup, it will tell all frontends to reload certs. For my nginx installations, it is enough to put this into ``/usr/local/etc/dehydrated/deploy.sh``::
44
45 #!/bin/sh
46
47 /usr/sbin/service nginx reload
48
49#. Don't forget execute permissions::
50
51 chmod +x /usr/local/etc/dehydrated/deploy.sh
52
53#. Finally, for nginx to correctly route requests to the web dir, add this to your server block. Don't forget to enable ``listen 80``::
54
55 location /.well-known/acme-challenge/ {
56 alias /usr/local/www/dehydrated/;
57 }
58
59#. Before running dehydrated for the first time, you should reload your nginx config. This also is an implicit check for correct permissions on ``deploy.sh`` ;)::
60
61 /usr/local/etc/dehydrated/deploy.sh
62
63#. Run dehydrated to set up and agree to terms and conditions::
64
65 su letsencrypt -c 'dehydrated --register --accept-terms'
66
67#. Then run it again to actually do a challenge/response and generate certs::
68
69 su letsencrypt -c 'dehydrated -c'
70
71#. If everything went fine, tell nginx to use the new certs in your server block. Don't forget to enable ``listen 443 ssl``::
72
73 ssl_certificate /var/dehydrated/certs/www.foo.com/fullchain.pem;
74 ssl_certificate_key /var/dehydrated/certs/www.foo.com/privkey.pem;
75
76#. Make nginx use your new certs::
77
78 /usr/local/etc/dehydrated/deploy.sh
79
80You should be able to see your web site with a little green lock icon now, carrying a letsencrypt cert.
81
82In order to verify that all your setups have been setup correctly, I wrote a script that checks them all::
83
84 HOSTS="mail.foo.com:25:smtp mail.foo.com:imaps www.foo.com jabber.foo.com:5232"
85 unset LANG LC_CTYPE LC_MESSAGES LC_TIME
86
87 for host in $HOSTS; do
88 unset starttls
89 [ ${host%:*} = ${host} ] && host=${host}.:443
90 if [ ${host%*:*:*} != ${host} ]; then
91 starttls="-starttls ${host#*:*:} "
92 host=${host%:*}
93 fi
94 echo $host ${starttls}
95 notafter=$( yes q | openssl s_client -servername ${host} -connect ${host} ${starttls} 2>/dev/null | openssl x509 -noout -enddate | grep ^notAfter= | cut -d = -f 2- )
96 secs=$( date -j -f "%b %d %T %Y %Z" "${notafter}" +%s )
97 now=$( date +%s )
98 printf "% 4d days .. until %s\n" $(( (secs - now) / 86400 )) "${notafter}"
99 done
100