[Triumf-linux-managers] FYI - certbot (was letsencrypt) for CertOS 7, 6

Thu Dec 1 08:58:09 PST 2016

Hi, there - the certbot certificates are valid for 90 day and
normally one is supposed to have a weekly cronjob to automatically
renew them.

I now have certbot certificates running for longer than 90 days
and I can report:

a) manual renewal works (apache httpd is reloaded automatically)
b) "certwatch" correctly sends the emails about "certificate will expire in N days"
c) letsencrypt CA send an expiration notice to the email on record for the certificate
d) a simple cronjob in /etc/cron.weekly does do automatic renewal.

However the certbot package does *not* contain any cronjob templates
and multiple cronjob finds on the internet are all deficient in different ways,
i.e. do not send email on renewal success or failure.

Also the certbot certificates seem to work okey for custom web servers
such as the MIDAS mhttpd web server (based on the mongoose web server).

K.O.

On Wed, Nov 30, 2016 at 07:10:03PM -0800, Andrew Daviel wrote:
> 
> FYI
> 
> As Konstantin reported to DAQ users in August, the EFF project
> "letsencrypt" is now available as RPM packages from EPEL.
> 
> This provides a way for people to get free SSL certificates chained
> to a recognized certificate authority, meaning they won't cause
> security pop-ups in a browser.
> 
> The LetsEncrypt project is now called "Certbot". The website is
> https://certbot.eff.org/
> 
> The relevant packages for CentOS 7 are certbot and
> python2-certbot-apache.
> 
> The application is intended to run unattended, as root, and be
> capable of automatically renewing relatively short-lived
> certificates (a few months), writing them into the browser
> configuration.
> I have not personally tried automatic mode.
> 
> Certbot is not available as as package for earlier CentOS/SL releases.
> However, it is available to download directly from
> https://dl.eff.org/certbot-auto
> 
> That can be made to work on CentOS 6. Probably not 5. Certbot is
> written in Python and requires certain other packages such as tix,
> tkinter, openssl-devel. Currently, it works with Python 2.6 but will
> not in future.
> 
> It is possible to run certbot in manual mode, and obtain
> certificates for webservers other than the one where the script is
> run. E.g.
> # /root/.local/share/letsencrypt/bin/certbot certonly --manual
> 
> To verify ownership of a (sub)domain, it is necessary to place a
> text cookie on a webserver running on that domain, in a public URL
> such as http://example.com/.well-known/acme-challenge/<random
> string>
> The certbot authenticator then retrieves the cookie before issuing a
> certificate, which the user can then place in the website
> configuration.
> 
> If there is no webserver running, certbot gives a recipe to run a
> simple Python one. The certificate could be used for non-web
> protocols such as LDAP, IMAP, SMTP etc.
> 
> 
> Certbot thus offers a viable alternative to the TRIUMF certificate
> authority for regular (non-enhanced validation) SSL certificates.
> But you get certificates for 90 days, not 3-5 years. You would
> probably need to set up the automated renewal process.
> 
> 
> Certificates from certbot (or any external CA) are unsuitable for
> document signing, code signing, or email signing/encryption, since
> they identify a webserver, not a person or company.
> 
> -- 
> Andrew Daviel, TRIUMF, Canada
> Tel. +1 (604) 222-7376  (Pacific Time)
> Network Security Manager
> _______________________________________________
> Triumf-linux-managers mailing list
> Triumf-linux-managers at lists.triumf.ca
> http://lists.triumf.ca/mailman/listinfo/triumf-linux-managers

-- 
Konstantin Olchanski
Data Acquisition Systems: The Bytes Must Flow!
Email: olchansk-at-triumf-dot-ca
Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada