I've been using StartSSL for low level, free TLS certificates for a few years. Their interface and processes are a bit clunky (though I see they're coming out with a new website this weekend). More problematically, they wouldn't renew a free cert for my community garden's domain because the site has a link for making donations via PayPal.
I recently heard of Let's Encrypt, a new, open source, free certificate authority. It's got big name backers like Mozilla, EFF, Automatic and many more. The API system allows users to easilty automoate the process. They went into public beta mode earlier in the month.
One of my TLS certificates was coming up for renewal, so I figured it was worth a shot. I'm glad I did.
I ran into a few roadblocks using the "apache" plugin, so I used the "webroot" plugin which is slightly less automagical. After using it, I realized a little shell script would help simplify the process. Also, Let's Encrypt is pretty lax with file permissions (I was able to read the private keys from my regular user account!) so my instructions and shell script lock things down.
All shell commands in this tutorial assume you're running as root. So start off by making that so, then installing my shell script.
sudo -i mkdir -p -m 755 /usr/local/src cd /usr/local/src git clone https://github.com/convissor/call_letsencrypt cd call_letsencrypt chmod 744 call_letsencrypt.sh # Edit the "email" variable in the script. # Use whatever editor you want. As you see, I use vim. vim call_letsencrypt.sh git commit -am 'My settings' cd /usr/local/sbin ln -s /usr/local/src/call_letsencrypt/call_letsencrypt.sh call_letsencrypt.sh
Next, ensure regular users can't get at the data, then install the Let's Encrypt scripts in /root
mkdir -m 700 /etc/letsencrypt cd git clone https://github.com/letsencrypt/letsencrypt
Execute my script for the core domain names and tighten up permissions some more.
call_letsencrypt.sh www.analysisandsolutions.com analysisandsolutions.com find /etc/letsencrypt -type d -exec chmod 700 {} \;
SSLCertificateFile /etc/letsencrypt/live/www.analysisandsolutions.com/cert.pem SSLCertificateChainFile /etc/letsencrypt/live/www.analysisandsolutions.com/chain.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.analysisandsolutions.com/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/www.analysisandsolutions.com/cert.pem smtpd_tls_key_file = /etc/letsencrypt/live/www.analysisandsolutions.com/privkey.pem
ssl_cert = </etc/letsencrypt/live/www.analysisandsolutions.com/cert.pem ssl_key = </etc/letsencrypt/live/www.analysisandsolutions.com/privkey.pem
service apache2 reload service dovecot reload service postfix reload
Certificates from Let's Encrypt expire in 90 days. Renewing them is as easy as adding a cron job that gets called every other month. So call crontab -e and put the following in there.
5 4 3 */2 * /usr/local/sbin/call_letsencrypt.sh -adp www.analysisandsolutions.com analysisandsolutions.com
(I'll append it here when I get a chance.)