Generating Let's Encrypt SSL Certificates
Generating an SSL Certificate on your GroundWork Server
Using SSL certificates is no longer an option, it's a requirement. Modern browsers now object to http-only sites, and even self-signed certs are getting harder to use, with anti-virus programs denying access to sites they can't verify (and rightfully so). Your GroundWork server comes with a self-signed certificate automatically generated, so it is using SSL out of the box, but there's no reason you can't use a "real", verifiable CA certificate if you have one, and skip all those self-signed exceptions. If you don't have one, the Let's Encrypt project (https://letsencrypt.org/) can make one for you for free. Here's how.
Also, check out a related blog posting here fas fa-blog
Prerequisites
Your Groundwork server has to be resolvable at a hostname on a public domain.
This doesn't mean it has to have a public IP address, just that you need to get the address when you ask DNS for it using the fully qualified domain name (FQDN). For example, if your server has IP address of 192.168.1.23, and your domain is example.com, then you can add an A record to that address for gwos01.example.com to your DNS. It won't be reachable, but DNS will work.
You need to be able to (at least temporarily) add a TXT record to your domain's public DNS.
This is how Let's Encrypt verifies that you control the domain, and so have the right to ask for a certificate of a host on that domain. It has to be public so Let's Encrypt's servers can access it.
- You need superuser (sudo) access to your GroundWork host to install software (like git and python), unless you have certbot already installed
Steps
It's a good idea to log in to your DNS provider and get ready to add a TXT record for your domain now.
If necessary, install git. For example on RHEL or CentOS:
sudo yum update && sudo yum upgrade -y sudo yum install git
CODEClone the repo for letsencrypt:
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
CODEAsk Let's Encrypt's certbot to issue the cert (e.g., for gwos01.example.com):
cd /opt/letsencrypt sudo -H ./letsencrypt-auto -d gwos01.example.com --manual --preferred-challenges dns certonly
CODEThis will probably install several packages, including python, etc. Also, sudo might ask you for your user password if it has been long enough since you last used sudo.
Accept the prompts, including that for logging your IP:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y
The process will pause:
Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
with a request to place a TXT type record in your public DNS for the domain you are asking for a cert for, e.g., example.com. The TXT record looks something like this:
NAME: _acme-challenge.gwos01.example.com. VALUE: OWOw_zpuLqVtpDqD5DBAEz67TRhGmwcOmlHHuE9xxxx
Add this record to your DNS using the procedure your DNS server or provider provides. For example, at the registrar gandi.net, the DNS record would look like this:
Once the DNS TXT record is saved, go back to the console and click Enter. The verification should complete and give you a success message:
Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/gwos01.example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/gwos01.example.com/privkey.pem Your cert will expire on 2020-06-23. To obtain a new or tweaked version of this certificate in the future, simply run letsencrypt-auto again. To non-interactively renew *all* of your certificates, run "letsencrypt-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Next, copy the fullchain.pem and key to your gw8 folder, (e.g., if gw8 is under /home/gwuser):
cp /etc/letsencrypt/live/gwos01.example.com/fullchain.pem ~gwuser/gw8/ cp /etc/letsencrypt/live/gwos01.example.com/privkey.pem ~gwuser/gw8/
CODEAdd the privkey.pem and the fullchain.pem to the GroundWork 8 instance, using the procedure Adding Certificates to HTTPS.
Log in to GroundWork Monitor 8 using your browser to confirm the valid certificate. You're done!
Related Resources
-
Page:
-
Page:
-
Page: