How to auto renew “Let’s encrypt” free certificate extending 90 days limit.

In the previous post i recommended for non-critical web services to start using free certificates from “Let’s encrypt”.

Many people refuse to use this kind of certificates thinking that it’s not good enough and moreover it’s only for 3 months and that it would be annoying to prolong it manually each 3 months and not forget about it. As for “not good enough” – even if you don’t trust free SSL certificates for web server authentication it’s always better to have enabled SSL than to go without SSL – at least channel will be encrypted (unlike free self-signed certs which also exist to encrypt connections between end user browser and web server – there is no error in browsers for free SSL certs from “Let’s Encrypt”)

I want to reassure that there is built-in command for certbot to renew automatically. The only prerequisite is to use ACME client certbot. If you used zeroSSL website to generate private key, CSR, certs and so on, then even with installed certbot the command will not find out above files. Therefore:

  1. install certbot    (or try to find other ACME client, if you need SSL cert for windows, i recommend to follow this link)
  2. certbot –apache certonly (let’s consider that we use apache2; apache conf better to change manually). It will generate key, cert and other files in /etc/letsencrypt/
  3. change your apache2 conf (for example for Debian8.7 /etc/apache2/sites-available/default-ssl.conf) :
    • SSLCertificateKeyFile /etc/letsencrypt/live/[yourdomain]/privkey.pem
    • SSLCertificateFile /etc/letsencrypt/live/[yourdomain]/fullchain.pem
    • if you had before row in default-ssl.conf “SSLCertificateChainFile: file ‘/etc/ssl/ssl.crt/[youdomain].ca-bundle’ ” – remove it now.
  4. service apache2 restart
  5. add line into crontab -e
    • @monthly certbot renew

As i understand ACME client uses input data (domain names) to validate server (no need to create any TXT or other records to validate domain; instead “Let’s encrypt” accesses thru HTTPS to signed by ACME client file on web server, if “Let’s encrypt” server can access to this temp file, check signature and expected content then it’s considered as validation of entered domains – so ACME client should be on the same apache server)

Again about using SSL for web server authentication. As you see from validation process it’s very important to protect access to management of own DNS records. If anyone gains access to your DNS server then there is no problem to create fake SSL for your domain, web servers and return back DNS records. That’s why i’m so concerned that there is no SSL support for management console of Mongolian DNS registrar. Another expected feature would be log of changes in DNS zone (any unauthorized change should be immediately visible). As for Datacom DNS registrar – enable at least recently available for Datacom 2sv, two step verification. (Although unlike real 2fa two step verification thru sms messages theoretically and practically became vulnerable thru SS7 vulnerability). By the way for Linkedin it is also time to switch from 2sv to 2fa (OTP/codes are generated locally on mobile device, for example in Google Authenticator, not leaving device, and couldn’t be intercepted)