Using Let's Encrypt for SSL/TLS Certificates for Apache 2.2, Postfix 2.9 and Dovecot 2.0 on Ubuntu 12.04

by Daniel Convissor at 2015-12-21 09:17:00

I've been using StartSSL for low level, free TLS certificates for a few years. Their interface and processes are a bit clunky (though I see they're coming out with a new website this weekend). More problematically, they wouldn't renew a free cert for my community garden's domain because the site has a link for making donations via PayPal.

I recently heard of Let's Encrypt, a new, open source, free certificate authority. It's got big name backers like Mozilla, EFF, Automatic and many more. The API system allows users to easilty automoate the process. They went into public beta mode earlier in the month.

One of my TLS certificates was coming up for renewal, so I figured it was worth a shot. I'm glad I did.

I ran into a few roadblocks using the "apache" plugin, so I used the "webroot" plugin which is slightly less automagical. After using it, I realized a little shell script would help simplify the process. Also, Let's Encrypt is pretty lax with file permissions (I was able to read the private keys from my regular user account!) so my instructions and shell script lock things down.

Get the Software and Certs

All shell commands in this tutorial assume you're running as root. So start off by making that so, then installing my shell script.

sudo -i

mkdir -p -m 755 /usr/local/src
cd /usr/local/src

git clone https://github.com/convissor/call_letsencrypt
cd call_letsencrypt
chmod 744 call_letsencrypt.sh

# Edit the "email" variable in the script.
# Use whatever editor you want.  As you see, I use vim.
vim call_letsencrypt.sh
git commit -am 'My settings'

cd /usr/local/sbin
ln -s /usr/local/src/call_letsencrypt/call_letsencrypt.sh call_letsencrypt.sh

Next, ensure regular users can't get at the data, then install the Let's Encrypt scripts in /root

mkdir -m 700 /etc/letsencrypt

cd
git clone https://github.com/letsencrypt/letsencrypt

Execute my script for the core domain names and tighten up permissions some more.

call_letsencrypt.sh www.analysisandsolutions.com analysisandsolutions.com

find /etc/letsencrypt -type d -exec chmod 700 {} \;

Use the New Certs

/etc/apache2/sites-available/www.analysisandsolutions.com

SSLCertificateFile /etc/letsencrypt/live/www.analysisandsolutions.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.analysisandsolutions.com/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.analysisandsolutions.com/privkey.pem

/etc/postfix/main.cf

smtpd_tls_cert_file = /etc/letsencrypt/live/www.analysisandsolutions.com/cert.pem
smtpd_tls_key_file = /etc/letsencrypt/live/www.analysisandsolutions.com/privkey.pem

/etc/dovecot/conf.d/10-ssl.conf

ssl_cert = </etc/letsencrypt/live/www.analysisandsolutions.com/cert.pem
ssl_key = </etc/letsencrypt/live/www.analysisandsolutions.com/privkey.pem

Reload Services

service apache2 reload
service dovecot reload
service postfix reload

Renew the Certs Automatically

Certificates from Let's Encrypt expire in 90 days. Renewing them is as easy as adding a cron job that gets called every other month. So call crontab -e and put the following in there.

5 4 3 */2 * /usr/local/sbin/call_letsencrypt.sh -adp www.analysisandsolutions.com analysisandsolutions.com

Tags: encryption, apache, postfix, ubuntu

View all posts

Email me a comment:

(I'll append it here when I get a chance.)