Difference between revisions of "Let's Encrypt"

From Roaring Penguin
Jump to: navigation, search
(Multiple Web Servers)
(Getting Certbot)
 
(One intermediate revision by the same user not shown)
Line 17: Line 17:
 
===Debian Squeeze and Earlier===
 
===Debian Squeeze and Earlier===
  
Certbot will not work on systems older than Wheezy. You should read our article detailing [Debian Upgrades] to move to a version that does support this. Squeeze is no longer supported by Debian.
+
Certbot will not work on systems older than Wheezy. You should read our article detailing [[Debian Upgrades]] to move to a version that does support this. Squeeze is no longer supported by Debian.
  
 
===Debian Wheezy===
 
===Debian Wheezy===
Line 71: Line 71:
 
==Notes==
 
==Notes==
  
Let's Encrypt have a short expiry period compared to commercially available certificates
+
Let's Encrypt have a short expiry period compared to commercially available certificates. As mentioned above, it also does not currently support wildcard certificates.
 +
 
 +
It is widely accepted as a legitimate certificate authority, but given it's free cost and low barrier to entry, the potential trust given to a Let's Encrypt certificate is not necessarily going to be on par with commercial certificates either.
 +
 
 +
If you already pay for SSL certificates through a commercial vendor, it may be more convenient to install an existing wildcard certificate or get a specific certificate for the CanIt appliance(s) from that vendor.

Latest revision as of 10:57, 20 July 2018

It is highly recommended that any public-facing CanIt web server should have HTTPS enabled to encrypt web sessions. This is enabled by default on Hosted CanIt.

For on-site users who do not currently have their own SSL certificates, there is an Electronic Freedom Foundation (EFF) project called Let's Encrypt which allows for these to be generated for free. This article discusses this process in the context of a CanIt appliance.

Prerequisites

The certificate will be created using the EFF's `certbot`. This is a script which will automatically discover your configuration and do most of the heavy lifting given the answers to a couple of questions. However, this script requires dependencies which are not included in Roaring Penguin's repositories. We have another article telling you how to Install Non-RP Packages.

Certbot will automatically install the required packages for you, so you only need to follow the instructions linked up to the first `apt-get update`. Once that command has been run, Certbot should be able to find all of the packages it needs in the next section.

Getting Certbot

Regardless of which Debian version you are running you can find the instructions by selecting "Apache" as the software, then your version name from the EFF's installation instructions.

If you don't know which version of Debian you are running, you can find out by following the instructions discussed in our article on Debian Versions. Here are some notes on each version.

Debian Squeeze and Earlier

Certbot will not work on systems older than Wheezy. You should read our article detailing Debian Upgrades to move to a version that does support this. Squeeze is no longer supported by Debian.

Debian Wheezy

Certbot is not included in the repositories for Wheezy (neither ours, or generic repositories). As a result, the instructions will tell you to `wget` the script directly from their website. The script keeps itself up-to-date, so this is essentially no different to how this is treated in later versions.

Debian Jessie

Certbot is included as a 'backport' only for Jessie. This means that it has been pulled from a newer version of Debian because it became available after Jessie became the Stable release.

In order to install on Jessie, you will need to edit the /etc/apt/sources.list file, as discussed in the Prerequisites section to include the extra line for the 'main' 'jessie-backports' repo. Like:

   deb http://http.us.debian.org/debian/ jessie-backports main

You can use a different url portion if you prefer.

After having done that, you will need to run:

   apt-get update

again to actually make the package manager aware of the new source.

Debian Stretch and Later

Certbot was added to the main Debian repositories for Debian Stretch and so no special steps, except for enabling generic repositories are necessary. You will be instructed to install directly from this repository.

Post Installation

Having followed the Certbot instructions, you should now have an installed certificate. If you navigate to your web portal using the 'https' protocol, you should not receive any errors.

If this is the case, you can now do 2 important things:

Disable the Non-RP Repositories

Edit the /etc/apt/sources.list file to disable the generic repositories as discussed in the Install Non-RP Packages wiki. Failing to do so could break essential CanIt packages the next time your system is updated. The simplest way to do this is to just comment out the additional line by adding a "#" to the start of the line. Then be sure to run:

   apt-get update

again. The CanIt upgrade script will do this anyways, but it is best to be safe to avoid the possible event of someone trying to run an upgrade using the generic `apt-get upgrade` command (which is another way to possibly break CanIt on it's own).

Force all connections to HTTPS

See our article How To/HTTP to HTTPS redirect for instructions on rewriting unencrypted connections to encrypted ones.

Multiple Web Servers

SSL certificates are tied to the hostname of the machine. If you have multiple public-facing web hosts with unique hostnames they will each need separate certificates generated. The Let's Encrypt project has announced that they will be introducing wildcard certificates at the start of 2018, but it is unclear if Certbot will automatically update to support this for older versions of Debian (including Stretch) given that it may require dependency changes.

If you have multiple hosts which are load-balanced behind a NAT, you should be able to copy the same cert to each node.

Often only one machine in a CanIt cluster will serve as the webserver, so the others do not need to be set up at all. This is even the case with large installations Hosted CanIt, although we do have failover web servers ready to take over. The self-signed keys already installed on CanIt appliances will work fine for TLS encrypted mail, so you do not need to set up Let's Encrypt on scanner-only nodes.

Notes

Let's Encrypt have a short expiry period compared to commercially available certificates. As mentioned above, it also does not currently support wildcard certificates.

It is widely accepted as a legitimate certificate authority, but given it's free cost and low barrier to entry, the potential trust given to a Let's Encrypt certificate is not necessarily going to be on par with commercial certificates either.

If you already pay for SSL certificates through a commercial vendor, it may be more convenient to install an existing wildcard certificate or get a specific certificate for the CanIt appliance(s) from that vendor.