Let's Encrypt SSL part 2

letsencrypt
Before I reloaded the server, I had implemented SSL certs from Let's Encrypt via a Website (and used domain validation). Linux users (and hosted Linux users) have it pretty easy, there is an official client and automation options are abundant. As a Windows user not using IIS, it's slightly messier. I haven't cracked the automation nut yet, but by using a different website, tweeking nginx and leveraging FTP, I've made certificate generation and renewal pretty painless.

First, domain validation for multiple SANs is painful. After Let's Ecrypt impliments Wildcard certs in January 2018 and there is only one record you have to add, it won't be bad but for now I use a ton of SANs. Automatic FTP validation is the way to go, but with Ghost CMS you just can't stick random files somewhere and get them served up.

Enter nginx, which I use for a reverse proxy, but it's much more, including a basic webserver. But how to validate when I need the main domain verified which is running node.js magic? Nginx locations like so:

server {
       listen       443 ssl;
   server_name kn6q.org;

 location / {
  proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass http://127.0.0.1:2368;
}
location "/.well-known/" {
	root html;
 	index  index.html index.htm;
}  

Note the quotes around "/.well-known/" - they are required because of the . in the path and it won't work without them.

So, any web request that is not headed for the Acme Challenge gets proxied to Ghost and requests for kn6q.org/.well-known/acme-challenge/ get sent to c:\nginx\html\.well-known\acme-challenge\. My FTP server has a special account that SSL FOR FREE logs in as, dumps the challenge files, and then Let's Encript does a web fetch to make sure I own the domain.

I still have to download the certs, stitch the cert and the CA bundle together, copy them to right place and restart services - but this is a big improvement over the initial time I did the process with domain validation with ZeroSSL. ZeroSSL also has no way to renew certs via the web interface, and requires many more steps than SSL FOR FREE does. And with renewal every 90 days, I'll take all the shortcuts I can get.

73,

Tom

Thomas Kisner

Husband, Father, Scouter, Ham.

Azle, Texas