01-24-2019 10:23 PM - edited 05-28-2019 04:00 PM
Let’s Encrypt is a Certificate Authority that provides free, Domain Validation (DV) SSL certificates to the public using an automated process. Let’s Encrypt provides an easily accessible mechanism for obtaining signed certificates for web servers, giving the end user confidence that they are accessing the correct service. For more information on Let’s Encrypt, visit their website at https://letsencrypt.org/.
Using Let’s Encrypt certificates with FindIT Network Manager is reasonably straightforward. Although it is not feasible to automate the issuing and installation of the certificate with FindIT Network Manager, a certificate can be easily obtained using a manual process and then installed through the Manager web UI. This remainder of this document walks through the process of issuing a certificate and installing it in the Manager.
cisco@findit-manager:~$ sudo apt-get update cisco@findit-manager:~$ sudo apt-get install software-properties-common cisco@findit-manager:~$ sudo add-apt-repository ppa:certbot/certbot cisco@findit-manager:~$ sudo apt-get update cisco@findit-manager:~$ sudo apt-get install certbot
cisco@findit-manager:~$ mkdir certbot cisco@findit-manager:~/certbot $ cd certbot
cisco@findit-manager:~/certbot$ certbot certonly --manual --preferred-challenges dns \ -d findit-manager.example.com -d pnpserver.example.com --logs-dir . \ --config-dir . --work-dir .Note: The above example is a single command that wraps across multiple lines. The backslashes have been inserted to allow the command to be copy and pasted as is.
certonly | Request a certificate and download the files. Do not attempt to install them. In the case of FindIT Network Manager, the certificate is not only used by the FindIT web server, but also by the PnP service and other functions. As a result, the certbot client is not able to install the certificate automatically. |
--manual | Do not attempt to automatically authenticate with the Let’s Encrypt service. Work interactively with the user to authenticate. |
--preferred-challenges dns | Authenticate by means of DNS TXT records. Other challenges are not supported for use with FindIT Network Manager. |
-d findit-manager.example.com -d pnpserver.example.com |
The FQDNs that should be included in the certificate. The first name listed will be included in the Common Name field of the certificate, and all names will be listed in the Subject-Alt-Name field. The pnpserver.<domain> name is a special name used by the Network Plug and Play feature when performing DNS discovery. Consult the FindIT Network Manager Administration Guide for more details. |
--logs-dir . --config-dir . --work-dir . |
Use the current directory for all the working files created during the process. |
cisco@findit-manager:~/certbot$ certbot certonly --manual --preferred-challenges dns \ -d findit-manager.example.com -d pnpserver.example.com --logs-dir . \ --config-dir . --work-dir . Saving debug log to /home/cisco/certbot/letsencrypt.log Plugins selected: Authenticator manual, Installer None Obtaining a new certificate Performing the following challenges: dns-01 challenge for findit-manager.example.com dns-01 challenge for pnpserver.example.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.findit-manager.example.com with the following value: iZB9LVd6ocime3t9ntWsTA82rjQW7ml9fkoou8uaBh0 Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
At this point, a DNS TXT record to validate the ownership of the findit-manager.example.com hostname must be created in the DNS infrastructure. The steps required to do this are outside the scope of this document, and will depend on the DNS provider being used. Once created, validate that the record is available using a DNS query tool such as dig (https://linux.die.net/man/1/dig).
The DNS challenge process may be automated for certain DNS providers. See https://certbot.eff.org/docs/using.html#dns-plugins for more details.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.pnpserver.example.com with the following value: Txruc89x8dVaHmLHJII0oA2ILmIY83XYl13yYakjNuc Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
Create and verify additional TXT records for each name to be included in the certificate.
Waiting for verification... Cleaning up challenges Non-standard path(s), might not work with crontab installed by your operating system package manager IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /home/cisco/certbot/live/findit-manager.example.com/fullchain.pem Your key file has been saved at: /home/cisco/certbot/live/findit-manager.example.com/privkey.pem Your cert will expire on 2019-02-04. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le cisco@findit-manager:~/certbot$
At this point, the certificate has been issued and may be found in the live subdirectory in the filesystem:
cisco@findit-manager:~/certbot$ cd live/findit-manager.example.com/ cisco@findit-manager:~/certbot/live/findit-manager.example.com$ ls cert.pem chain.pem fullchain.pem privkey.pem README cisco@findit-manager:~/certbot/live/findit-manager.example.com$
cisco@findit-manager:~/certbot/live/findit-manager.example.com$ openssl pkcs12 \ -export -out cert.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem Enter Export Password: secret Verifying - Enter Export Password: secret cisco@findit-manager:~/certbot/live/findit-manager.example.com$
This command takes the private key (privkey.pem), the certificate for the manager (cert.pem) and the chain of intermediate certificates between the manager certificate and the Let’s Encrypt root certificate (chain.pem) and packages them together into a single, password protected file in pkcs12 format (cert.pfx) suitable for uploading to the Manager.
If the host where you are performing these steps does not have a web browser, you will need to copy the cert.pfx file to your PC using a tool such as secure copy (scp on Unix-like OSes or WinSCP for Microsoft Windows). If you are performing these operations on the Manager, then the SSH server - required for secure copy to function - is disabled by default. The server may be enabled using the following command:
cisco@findit-manager:~/certbot$ sudo service ssh start
Once you have finished, the SSH server may be disabled again with the command:
cisco@findit-manager:~/certbot$ sudo service ssh stop
The browser window may need to be refreshed after installing the new certificate.
Please note that certificates issued by Let’s Encrypt have relatively short lifetimes – currently 90 days. In order to ensure the certificate remains valid, you will need to renew it before the 90 days are up. To do this, you need to repeat steps 3 to 6 in the process above to receive an updated certificate and apply it to the Manager.
Thanks Dave, very nice
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: