How to generate Let's Encrypt SSL certificates

Using SSL certificates is no longer an option, it's a requirement. Modern browsers now object to http-only sites, and even self-signed certs are getting harder to use, with anti-virus programs denying access to sites they can't verify (and rightfully so). Your GroundWork server comes with a self-signed certificate automatically generated, so it is using SSL out of the box, but there's no reason you can't use a "real", verifiable CA certificate if you have one, and skip all those self-signed exceptions. If you don't have one, the Let's Encrypt project (https://letsencrypt.org/) can make one for you for free. Here's how. 

Generate an SSL certificate on your GroundWork server

What you will need

Your Groundwork server has to be resolvable at a hostname on a public domain.

This doesn't mean it has to have a public IP address, just that you need to get the address when you ask DNS for it using the fully qualified domain name (FQDN). For example, if your server has IP address of 192.168.1.23, and your domain is example.com, then you can add an A record to that address for gwos01.example.com to your DNS. It won't be reachable, but DNS will work. 

You need to be able to (at least temporarily) add a TXT record to your domain's public DNS.

This is how Let's Encrypt verifies that you control the domain, and so have the right to ask for a certificate of a host on that domain. It has to be public so Let's Encrypt's servers can access it. 

You need superuser (sudo) access to your GroundWork host to install software (like git and python), unless you have certbot already installed

Steps

  1. It's a good idea to log in to your DNS provider and get ready to add a TXT record for your domain now.

  2. If necessary, install git. For example on RHEL or CentOS: 

    sudo yum update && sudo yum upgrade -y
    sudo yum install git
  3. Clone the repo for letsencrypt: 

    sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
  4. Ask Let's Encrypt's certbot to issue the cert (e.g., for gwos01.example.com): 

    cd /opt/letsencrypt
    sudo -H ./letsencrypt-auto -d gwos01.example.com --manual --preferred-challenges dns certonly

    This will probably install several packages, including python, etc. Also, sudo might ask you for your user password if it has been long enough since you last used sudo.

  5. Accept the prompts, including that for logging your IP: 

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NOTE: The IP of this machine will be publicly logged as having requested this
    certificate. If you're running certbot in manual mode on a machine that is not
    your server, please ensure you're okay with that.
    Are you OK with your IP being logged?
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    (Y)es/(N)o: Y
  6. The process will pause: 

    Before continuing, verify the record is deployed.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Press Enter to Continue

    with a request to place a TXT type record in your public DNS for the domain you are asking for a cert for, e.g., example.com. The TXT record looks something like this: 

    NAME: _acme-challenge.gwos01.example.com. VALUE: OWOw_zpuLqVtpDqD5DBAEz67TRhGmwcOmlHHuE9xxxx

    Add this record to your DNS using the procedure your DNS server or provider provides. For example, at the registrar gandi.net, the DNS record would look like this:

  7. Once the DNS TXT record is saved, go back to the console and click Enter. The verification should complete and give you a success message: 

    Waiting for verification...
    Cleaning up challenges
    
    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at:
       /etc/letsencrypt/live/gwos01.example.com/fullchain.pem
       Your key file has been saved at:
       /etc/letsencrypt/live/gwos01.example.com/privkey.pem
       Your cert will expire on 2020-06-23. To obtain a new or tweaked
       version of this certificate in the future, simply run
       letsencrypt-auto again. To non-interactively renew *all* of your
       certificates, run "letsencrypt-auto renew"
     - If you like Certbot, please consider supporting our work by:
    
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le
    
    
  8. Next, copy the fullchain.pem and key to your gw8 folder, (e.g., if gw8 is under /home/gwuser): 

    cp /etc/letsencrypt/live/gwos01.example.com/fullchain.pem ~gwuser/gw8/
    cp /etc/letsencrypt/live/gwos01.example.com/privkey.pem ~gwuser/gw8/
  9. Add the privkey.pem and the fullchain.pem to the GroundWork 8 instance, using the procedure Adding Certificates to HTTPS.
  10. Log in to GroundWork Monitor 8 using your favorite browser to confirm the valid certificate. You're done! 

Related articles