Letsencrypt SSL Certs

From Sea of Fate
Jump to navigationJump to search

Introduction

We chose to use Letsencrypt SSL certificates in addition to the Cloudflare origin certs because we occasionally need to serve SSL websites and services directly and while the cloudflare origin certs work well and are easy to setup, they are not publicly recognised. To set up the ACME LetsEncrypt service (specifically using acme.sh) on Raisin' with Cloudflare DNS, we will want to use a wildcard cert so that we don't have to keep on adding to a growing list of domain names


Installation

To set up the certbot Let's Encrypt service specifically using cert bot on the reverse proxy, Raisin, with Cloudflare DNS. Since we are using a wildcard, the DNS-01 challenge is the only way to go, and using the Cloudflare API makes it completely automated. The reason for choosing Raisin for the cert download is that it will nearly always need to be used on Raisin as it is the host that Pfsense directs all https traffic to.

Install certbot

This setup ensures we get our wildcard certificates without needing a webserver to be reachable from the internet, keeping our security tight.

🏛️ Phase 1: Clean Up & Core Install

Ubuntu 24.04 (Noble) likes its packages to be "clean." Mixing apt and snap is the most common way to break SSL renewals. To purge any old apt versions: 

sudo apt-get remove certbot

Install the Snap core (the "engine" for snaps) 

sudo snap install core; sudo snap refresh core

Create the Symlink: (This ensures when we type certbot, the system actually finds the snap version.) 

sudo ln -s /snap/bin/certbot /usr/bin/certbot

🔑Cloudflare API Token

To get the Cloudflare API Token, we need to head into the Cloudflare dashboard. Since we have both .net and .uk domains, we can actually handle them with a single command or separate ones depending on whether we want one "combined" certificate or two distinct ones. in our case we will get two separate keys

  • Log in to your Cloudflare Dashboard.
  • Click on the User Profile icon (top right) and select My Profile.
  • Click API Tokens in the left sidebar.
  • Click Create Token.
  • Find the template "Edit zone DNS" and click Use template.
  • Permissions: Ensure it says Zone - DNS - Edit (and optionally Zone - Zone - Read).
  • Zone Resources: * If you want one token for both domains, select Include - All zones.
    • If you want to be extra secure, select Include - Specific zone and add both seaoffate.net and seaoffate.uk.
  • Click Continue to summary and then Create Token.
  • Copy the token immediately! Cloudflare won't show it to you again.

🔑 Phase 3: The Cloudflare Plugin & Secret

Since we want *.seaoffate.net and *.seaoffate.net Certbot needs to "talk" to Cloudflare to create a temporary TXT record. We have two choices here based on your cloudflare_net.ini and cloudflare_uk.ini setup. If we had wanted a single certificate that covers both domains (ideal for a single load balancer like Raisin), we could have used just one .ini file as long as the API token inside has permission for both zones. However, we prefer to keep them separate so we just ran the command twice and have two separate files. Certbot is smart enough to create two separate renewal profiles in /etc/letsencrypt/renewal/.

  • To Authorize the plugin
sudo snap set certbot trust-plugin-with-root=ok

Install the Cloudflare DNS plugin 

sudo snap install certbot-dns-cloudflare

Create the Credentials File It's best practice to keep this in the /etc/letsencrypt directory, note we also have a cert for the .uk 

sudo mkdir -p /etc/letsencrypt/cloudflare
sudo nano /etc/letsencrypt/cloudflare/cloudflare_net.ini

Add your API Token Note: Use a Token, not your Global Key. It only needs "Zone:DNS:Edit" permissions. we repeat this step to get the .uk key 

dns_cloudflare_api_token = 0123456789abcdefyourtokenhere

Then the same for the .uk key 

sudo nano /etc/letsencrypt/cloudflare/cloudflare_uk.ini

and copy the other key for the .uk domain 

dns_cloudflare_api_token = 0123456789abcdefyourtokenhere

Lock down the files (Safety First!) 

sudo chmod 600 /etc/letsencrypt/cloudflare/cloudflare_net.ini
sudo chmod 600 /etc/letsencrypt/cloudflare/cloudflare_uk.ini

🚀 Phase 3: Getting the First Certificate

Now we run the big command. This generates the cert and registers the Deploy Hook (so Nginx reloads itself every 60 days). We have chosen to keep the two separate files so we run the command twice. Certbot is smart enough to create two separate renewal profiles in /etc/letsencrypt/renewal/ 

sudo certbot certonly --dns-cloudflare \
 --dns-cloudflare-credentials /etc/letsencrypt/cloudflare/cloudflare_net.ini \
 --dns-cloudflare-propagation-seconds 60 \
 --deploy-hook "systemctl reload nginx" \
 --cert-name seaoffate.net \
 -d seaoffate.net -d "*.seaoffate.net"

sudo certbot certonly --dns-cloudflare \
 --dns-cloudflare-credentials /etc/letsencrypt/cloudflare/cloudflare_uk.ini \
 --dns-cloudflare-propagation-seconds 60 \
 --deploy-hook "systemctl reload nginx" \
 --cert-name seaoffate.uk \
 -d seaoffate.uk -d "*.seaoffate.uk"
Retrieved from "https://wiki.seaoffate.net/index.php?title=Letsencrypt_SSL_Certs&oldid=1148"