Fun with deployments, part 1 : Certbot

Damien Calloway

2020-08-01 21:17

Yesterday, I finally accomplished a long term goal of mine - manually deploying my own website, with minimum of fuss and maximum control. Over the years, I have had not less than three WordPress sites blow up in my face due to brittle updates. Of the most recent five hosts I tried, two of them are no longer in business. In the meantime, precious time continued to pass....

I remember my first website on a shared host back in 1997 - some html, some css, some images - and indeed, being able to craft a website by hand is great skill to have. It is also time consuming. And on today's modern internet, you also need a certificate for SSL. Which is surreal, when I recall buying used records from Osaka in Japan and having them shipped to be from the other side of the world in 1997. People were just then starting to move from 40 bit to 128 bit encryption.

I try not to think about how naive and cavalier we were....

Traditionally, certificates were (and still are) very expensive. Many individuals, small businesses and organisations simply skipped them. I was very happy to hear about the Let's Encrypt inititiative as it really does address many pain points about cost (free as in beer), transparency (free as in freedom), and deployment (automated issuance and renewal)

When setting up this website, I used Nikola as a static site generator, and Nginx as the web server. Getting Certbot installed was easier than both of those to set up. Most distributions have a certbot meta package now - FreeBSD has that, and other modules per web server in addition. The Certbot site at certbot.eff.org has a nice helper page that will give you details on which combination of packages and commands are needed for a wide variety of Linux distribtuions.

On my web server, I only needed the base py37-certbot package. On my private cloud server that I am still setting up, I had to install py37-certbot-nginx as well - more on that adventure coming up. On a Windows VM that I expiremented with, I used a package that implemented the ACME protocol in .NET - there is no official package from the Certbot team ready to go, and no GUI one-click installers either.

Once installed, the Certbot is very fast. You will need to make sure that you have sorted out the A record of your desired domain name, though, because the bot will hard fail if you do not. Also, if you do not have access to install applications in general, then you are out of luck in general. You will also need a valid email address so that you can be reached if there is a problem. After this, you will be prompted to accept an agreement to the Terms of Service, then prompted for the domain that you are seeking a certificate for.

Certbot will let you set up multiple subdomains in the request, so that you can have both (your site here).com and (www.your site here).com. I have not yet tried a wildcard cert, but it seems possible.

After you do these things, the Certbot will run a program that reaches out to Let's Encrypt, validates that the server is the one you say it is, and issue a certificate. You will get a message informing you that either 1) something failed, or 2) that you now have a new certificate.

Make sure that you note the path that Certbot used to save the certificate, and also be aware that it comes in two parts - a public/private key pair (ending in .pem) that you will need to both secure and make a backup of, as well as refer to for any manual configuration of the web server. But as of the moment you see those files, your website certificate is live !

In my case, it all happened so fast, that I was able to actually fix the DNS records for my domain, immediately run the bot, get the certificate, and immediately refresh the page to see it kick in. Propagation is very fast, indeed.

What happens next ? Well, the theory is that if issuing certificates is automated, one can secure as site very quickly. Also, if renewing the certificates is also automated, then they will always be current. Indeed, a Let's Encrypt cert only lasts for 90 days - the expectation is that you will either create a script that seeks a renewal at regular intervals (up to five times in a seven day period) or manually run the script before your 90 days are up. But that never happens, so of course, the goal is to script a request to renew the cert. At that point, your site will maintain its security in an automated way for as long as it is running, and with no further intervention needed.....

....well, there was that one case where Let's Encrypt had to revoke 8+ million certificates, but that is a part of the bargain - if any of the certificates are compromised, they must be revoked. Otherwise, they are worthless. So far, Let's Encrypt have been very serious about maintaing the quality of the certs that they issue. In this incident, I understand that they simply send a message to Certbot running on those servers to renew. But if one were to set up a cron job to renew the cert once per week, the time exposed to an event like this would be fairly low.

In either case, I am happy that I was able to get this up and running on both my "cloud" servers. I think that, especially for individuals and small businesses, this is the way to go. Just because someone does not have a ton of money or a commerical enterprise does not mean that they cannot secure their web traffic. This project has been a wild success so far, and I thank the EFF and their partners for pulling this together.