Let's Encrypt

From Roaring Penguin
Revision as of 14:06, 11 September 2017 by JohnMertz (talk | contribs) (Created page with "It is highly recommended that any public-facing CanIt web server should have HTTPS enabled to encrypt web sessions. This is enabled by default on Hosted CanIt. For on-site us...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

It is highly recommended that any public-facing CanIt web server should have HTTPS enabled to encrypt web sessions. This is enabled by default on Hosted CanIt.

For on-site users who do not currently have their own SSL certificates, there is an Electronic Freedom Foundation (EFF) project called Let's Encrypt which allows for these to be generated for free. This article discusses this process in the context of a CanIt appliance.


The certificate will be created using the EFF's `certbot`. This is a script which will automatically discover your configuration and do most of the heavy lifting given the answers to a couple of questions. However, this script requires dependencies which are not included in Roaring Penguin's repositories. We have another article telling you how to Install Non-RP Packages.

Certbot will automatically install the required packages for you, so you only need to follow the instructions linked up to the first `apt-get update`. Once that command has been run, Certbot should be able to find all of the packages it needs in the next section.

Getting Certbot

Regardless of which Debian version you are running you can find the instructions by selecting "Apache" as the software, then your version name from the EFF's installation instructions.

If you don't know which version of Debian you are running, you can find out by following the instructions discussed in our article on Debian Versions. Here are some notes on each version.

Debian Squeeze and Earlier

Certbot will not work on systems older than Wheezy. You should read our article detailing [Debian Upgrades] to move to a version that does support this. Squeeze is no longer supported by Debian.

Debian Wheezy

Certbot is not included in the repositories for Wheezy (neither ours, or generic repositories). As a result, the instructions will tell you to `wget` the script directly from their website. The script keeps itself up-to-date, so this is essentially no different to how this is treated in later versions.

Debian Jessie

Certbot is included as a 'backport' only for Jessie. This means that it has been pulled from a newer version of Debian because it became available after Jessie became the Stable release.

In order to install on Jessie, you will need to edit the /etc/apt/sources.list file, as discussed in the Prerequisites section to include the extra line for the 'main' 'jessie-backports' repo. Like:

   deb http://http.us.debian.org/debian/ jessie-backports main

You can use a different url portion if you prefer.

After having done that, you will need to run:

   apt-get update

again to actually make the package manager aware of the new source.

Debian Stretch and Later

Certbot was added to the main Debian repositories for Debian Stretch and so no special steps, except for enabling generic repositories are necessary. You will be instructed to install directly from this repository.

Post Installation

Having followed the Certbot instructions, you should now have an installed certificate. If you navigate to your web portal using the 'https' protocol, you should not receive any errors.

If this is the case, you can now do 2 important things:

Disable the Non-RP Repositories

Edit the /etc/apt/sources.list file to disable the generic repositories as discussed in the Install Non-RP Packages wiki. Failing to do so could break essential CanIt packages the next time your system is updated. The simplest way to do this is to just comment out the additional line by adding a "#" to the start of the line. Then be sure to run:

   apt-get update

again. The CanIt upgrade script will do this anyways, but it is best to be safe to avoid the possible event of someone trying to run an upgrade using the generic `apt-get upgrade` command (which is another way to possibly break CanIt on it's own).

Force all connections to HTTPS

See our article How To/HTTP to HTTPS redirect for instructions on rewriting unencrypted connections to encrypted ones.

Multiple Web Servers

SSL certificates are tied to the hostname of the machine


Let's Encrypt have a short expiry period compared to commercially available certificates