Sunday 30 October 2016

How to install and configure Certbot in a FreeNAS Jail

بسم الله الرحمن الرحيم



Abstract



  • A tutorial to install and configure certbot within a FreeNAS Jail.
  • Certbot is 'Electronic Frontier Foundation's ' implementation to issue free automated SSL certificates for webservers that are recognised by popular web browsers.  


Assumptions and Prerequisites


  • Domain: example.com
  • Hostname: www.example.com
  • OS: FreeNAS 9.10.1-U2 (FreeBSD 10.3-STABLE)
  • Container: Warden Jail
  • Jail Name: www
  • Private IP: 10.0.0.56
  • Subnet Mask: 255.255.255.0/24
  • Certbot Version: 0.9.3
  • Apache has already been installed.
  • Apache Version: 2.4.23
  • Apache Webroot directory: /usr/local/www/apache24/data
  • SSL Certificate File: /usr/local/etc/letsencrypt/live/www.example.com/fullchain.pem
  • SSL Key File: /usr/local/etc/letsencrypt/live/www.example.com/privkey.pem 
  • Apache is bound to port 80 and 443.
  • Port 80 and 443 forwarding is enabled on the router to allow access to Apache webserver from the Internet.
  • Email: info@example.com (required to recover lost account details from certbot).



Instructions


- Install certbot
# pkg install py27-certbot

- Configure domain
# certbot certonly
Follow installer instructions
    domain: www.example.com
    webroot: /usr/local/www/apache24/data
    email: info@example.com

- Test certs renewal
# certbot renew --dry-run 

- Renew certs (Renews certs on port 80 for 90 days. Will not renew cert if expiry date of cert is less than 30 days).
# certbot renew --quiet

-  Force cert renewal with current issue date
# certbot renew --quiet --force-renewal

- Renew cert with a higher rsa-key size 4096
# certbot renew --quiet --rsa-key-size 4096 

-  Force cert renewal on https port 443 with a higher rsa-key size 4096
# certbot renew --quiet --rsa-key-size 4096 --force-renewal --tls-sni-01-port 443

- Change SSL Cert file paths in Apache to point to the new location of certbot's certificates
# vi /usr/local/etc/apache24/extra/httpd-ssl.conf
   (144)  SSLCertificateFile "/usr/local/etc/letsencrypt/live/www.example.com/fullchain.pem"
   (154)  SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/www.example.com/privkey.pem"
   (175)  #SSLCACertificateFile "/usr/local/etc/ssl/certs/ca.pem"

- Reload Apache config after certs renewal
# apachectl -k graceful

- Setup a cron job in FreeNAS to auto renew certs and reload the new apache settings with the following command.
# jexec www certbot renew --quiet --rsa-key-size 4096 && jexec www apachectl -k graceful

- Test the new SSL certs at the SSLABS website. This should give you an A+ on the SSL report.

- Links


Posted by at
Labels: , , , , , , , , , , , , , , , ,

1 comment:

webrootsafes said...

Since we all live in a world that is dependent on personal or digital technology for a digital presence, easy access to unsafe websites can be very damaging to your identity and data. This is the reason why many people choose Webroot antivirus software to keep them safe on the Internet. However, many people know very little about Webroot Renewal.
Webroot Renewal

5:00 pm

Post a Comment

Subscribe to: Post Comments (Atom)