Using EFF’s goal to encrypt the Internet has spawned a project to issue TLS certificates is a great idea and opens up certificates for everyone and not just for those with money. To balance certificates being miss used, EFF has imposed a 90 day life on certificates issued which means some level of automation is required to ensure certificates are renewed appropriately.
EFF has released software called Certbot to handle certificate management. It’s readily available on variety of Linux distributes. This post will go through on a Ubuntu platform.
Certbot was primarily designed to work with web servers such as Apache. This can be seen by the handlers that are available out of the box to configure the end software with the issued certificate.
Add Debian repository for Certbox:
sudo add-apt-repository ppa:certbot/certbot -y
Update Ubuntu’s software repository from the previous command:
sudo apt-get update
sudo apt install certbot -y
Certbox requires port 443 (HTTPS) to be available to communicate with the certificate issuing server. If a webserver or HaProxy is running on this port ensure it is stopped before continuing. Once the certificate has been issued, the port is not required. Setting up HaProxy is beyond this article.
Run Certbot and go through the prompts:
sudo certbot certonly
If successful it will create files in /etc/letsencrypt/live/[domain]/ where [domain] is the name of the domain.
A combined certificate is required for HaProxy. This assumes certificates are held in /etc/haproxy/certs and [domain] is the name of the [domain]
DOMAIN='[domain]' sudo -E bash -c 'cat /etc/letsencrypt/live/$DOMAIN/fullchain.pem /etc/letsencrypt/live/$DOMAIN/privkey.pem > /etc/haproxy/certs/$DOMAIN.pem'
This will create a [domain].pem file in /etc/haproxy/certs
Configure HaProxy to use the combined certificate file.
Certbot makes it fairly easy to obtain a certificate. Renewing the certificate is another matter due to the number of ways a certificate can be used.