• Let's Encrypt
  • Using letsencrypt-nosudo
  • Apache
  • getssl
  • PostgreSQL
  • Further Reading
  • References

Let's Encrypt

This document contains notes on using Let's Encrypt to create an SLL certificate for a Raspberry Pi computer.

Following the instructions to install the certbot and python-certbot-apache on the Let's Encrypt website failed with an error when running the certbot script: Illegal instruction. Searching the web suggests this is a badly packaged version of a dependent library named augeas.

Being already uncomfortable running the script as root, I decided to pursue the suggested alternative provided by letsencrypt-nosudo.

Using letsencrypt-nosudo

Following the instructions at letsencrypt-nosudo I created user.key and domain.key private keys along the way, and finally end up creating a certificate chain as follows:

$ cat signed.crt lets-encrypt-x3-cross-signed.pem > chained.pem

Note: keep the private keys user.key, domain.key very private and safe. Also make a safe copy of signed.crt. You are likely to need them again in the future.

Apache

Copied domain.key and chained.pem to suitable folders under /etc, changing the permissions of domain.key to be readable only by root.

$ sudo chown root.root /etc/ssl/private/domain.key
$ sudo chmod 640 /etc/ssl/private/domain.key

Modified the Apache SSL configuration file under /etc/apache2/sites-available to refer to the following files in the <VirtualHost> section:

SSLCertificateFile       /etc/apache2/ssl.crt/chained.pem
SSLCertificateKeyFile    /etc/ssl/private/domain.key

getssl

Another option is to use a third party ACME client such as getssl. This consists of a single shell script, so has far less dependencies than the officially recommended certbot.

There are a number of ways in which this client can be used. It can be run on another machine (e.g. desktop) and potentially avoid being run as the root user entirely. It also supports automatic renewal.

On a Debian system, install the dnsutils package to provide the required dig or nslookup packages.

Configure DOMAIN_PEM_LOCATION and DOMAIN_KEY_LOCATION in getssl to match the Apache SSLCertificateFile and SSLCertificateKeyFile entries respectively.

PostgreSQL

See Securing Postgres connections using Let's Encrypt certificates | Logan Marchione

Further Reading

• https://scotthelme.co.uk/setting-up-le/

• https://scotthelme.co.uk/ocsp-must-staple/

References

• letsencrypt
• letsencrypt-nosudo
• getssl
• https://lordofthemoon.com/blog/2016/08/lets-encrypt-for-the-raspberry-pi-model-b/
• https://community.letsencrypt.org/t/certbot-on-raspbian-illegal-instruction/15813
• https://github.com/certbot/certbot/issues/2673
• https://www.ssllabs.com/
• https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
• https://blog.qualys.com/ssllabs/2013/06/25/ssl-labs-deploying-forward-secrecy
• https://blog.qualys.com/ssllabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
• http://stackoverflow.com/questions/17308690/how-do-i-enable-perfect-forward-secrecy-by-default-on-apache

Related Topics: ApacheHints, RaspberryPi

• Viki
• Business
• Tech