Let's Automate Let's Encrypt

HTTPS is a small island of security in this insecure world, and in this day and age, there is absolutely no reason not to have it on every Web site you host. Up until last year, there was just a single last excuse: purchasing certificates was kind of pricey. That probably was not a big deal for enterprises; however, if you routinely host a dozen Web sites, each with multiple subdomains, and have to pay for each certificate out of your own dear pocket—well, that quickly could become a burden.

Now you have no more excuses. Enter Let's Encrypt a free Certificate Authority that officially left Beta status in April 2016.

Aside from being totally free, there is another special thing about Let's Encrypt certificates: they don't last long. Currently all certificates issued by Let's Encrypt are valid for only 90 days, and you should expect that someday this term will become even shorter. Although this short lifespan definitely creates a much higher level of security, many people consider it as an inconvenience, and I've seen people going back from using Let's Encrypt to buying certificates from commercial certificate authorities for this very reason.

Of course, if you are running multiple Web sites, having to renew several certificates manually every three months quickly could become annoying to say the least. Some day you even may forget (and you will regret that forgetfulness). Let's leave routines to computers, right?

If you are using Apache under a Debian-based distribution, Let's Encrypt already has you covered with the libaugeas0 package, and it is capable of both issuing and renewing certificates. If, like me, you prefer nginx and want to have zero-downtime automatic certificate updates with industrial-grade encryption, keep reading. I'm going to show you how to get there.

First things first—some assumptions and requirements:

  1. You are running the nginx Web server/load balancer, and you are going to use it for TLS termination (that's a fancy, but technically correct way of saying "nginx will handle all this HTTPS stuff").

  2. nginx serves several Web sites, and you want HTTPS on all of them, and you are not going to pay a single dime.

  3. You also want to get the highest grade on the industry standard for SSL tests—SSL Lab's SSL server test.

  4. You do not enjoy the idea of running some not-so-well-sandboxed third-party code on your server, and you would rather have this code in a Docker container.

  5. Naturally, you are lazy (or experienced) enough, so you want to write some scripts that will re-issue all certificates way before they expire.

  6. I tested this code on Debian Jessie running nginx 1.6.2 and Docker 1.9.1; it also should work on all other flavors. If you do not have docker-engine installed, follow the instructions here.

Now, check whether your nginx supports TLS:


sudo nginx -V

Usually it is supported by default and should yield the following:


TLS SNI support enabled

You also need a place to store certificates:


sudo mkdir -m 755 /etc/letsencrypt

______________________

Andrei Lukovenko is a longtime Linux user, command-line fanboy, automation aficionado.