Here come the Bash clients for Let's Encrypt - Acme.sh, Dehydrated and creating SSL Certificates

I was recently working on a server with a pretty old OS. In the past I've configured SSL using EFF's Certbot, a Python based client for managing Let's Encrypt's certificates, but Certbot requires Python 2.7 or better and the server only shipped with Python 2.4. I initially started on the journey of "jumping through hoops" getting Python 2.7 installed on the old system but then I discovered bash based clients for Let's Encrypt. So here are some short notes for my future self which might save some time.

In terms of shell scripts that re-implement the Certbot client there are two shell scripts that I currently know of, one called dehydrated and the other, which I discovered a day or two later, is called acme.sh.  I ended up using acme.sh, I found the acme.sh implementation to be a bit simpler than the dehydrated implementation. If you're interested in using dehydrated, there's reasonable documentation on how to install and use it at https://www.aaflalo.me/2016/09/dehydrated-bash-client-lets-encrypt/.

Acme.sh

Acme.sh promotes itself as follows:

• An ACME protocol client written purely in Shell (Unix shell) language.
• Full ACME protocol implementation.
• Simple, powerful and very easy to use. You only need 3 minutes to learn it.
• Bash, dash and sh compatible.
• Simplest shell script for Let's Encrypt free certificate client.
• Purely written in Shell with no dependencies on python or the official Let's Encrypt client.
• Just one script to issue, renew and install your certificates automatically.
• DOES NOT require root/sudoer access.

It basically installs itself in the home folder of the active user and also adds itself to the PATH.

Installation is as easy as:

curl https://get.acme.sh | sh

Or:

wget -O -  https://get.acme.sh | sh

After that you can create an SSL certificate for the domain with the following command:

acme.sh --issue -w /home/mysite/public_html/example.com -d example.com -d www.example.com

Unfortunately, while the certificate was created without a problem, the server was so old that the version of OpenSSL didn't support multiple domains on the same IP address according to this article I needed at least OpenSSL v0.9.8j. 

Truth be told the best course of action will be to upgrade the server since it is otherwise vulnerable. The knowledge won't be lost as I can use it on other projects on newer servers.

Letsencrypt, Apache2, Plone and SSL

These are notes for my future self. I'm mostly using nginx now, but I have an Apache server here and there. I also have a post on configuring letsencrypt SSL with nginx.

Update ( Nov 9, 2016): added more information on preparing the /var/www/letsencrypt directory and rearranged assumptions into a numbered list.

Assumptions

My assumptions are as follows:

1. This is a Plone site which uses a proxypass style rewriterule.
2.  The site is located at the root of your Zope application server and it is called "Plone" so localhost:8080/Plone
3. You're using letsencrypt with certbot to generate SSL certificates.
4.  Your .well-known folder (used by letsencrypt) will be located at /var/www/letsencrypt.

Before you start create the /var/www/letsencrypt directory

The following command works on Debian/Ubuntu type servers:

sudo mkdir -p /var/www/letsencrypt
chown www-data:www-data  /var/www/letsencrypt

If you're on RedHat or CentOs you'll want to change the owner (chown) to 'apache' or 'nobody'.

The implementation

With these things in place I found that I needed to precede my standard Plone rewrite rules with a rewrite rule to serve the contents of the letsencrypt .well-known folder. In the examples below my site is running on port 8080, this may be different for you.

Add this so that you an successfully request an SSL certificate via letsencrypt over http.

RewriteRule ^/\.well-known/(.*) /var/www/letsencrypt/.well-known/$1 [L]
RewriteRule ^/(.*) \       http://localhost:8080/VirtualHostBase/http/{HTTP_HOST}:80/Plone/VirtualHostRoot/$1 [L,P]

Add this AFTER you have a working SSL certificate installed and you're already serving stuff over https (see below)

RewriteRule ^/\.well-known/(.*) /var/www/letsencrypt/.well-known/$1 [L]
RewriteRule ^/(.*) \       http://localhost:8080/VirtualHostBase/https/{HTTP_HOST}:443/Plone/VirtualHostRoot/$1 [L,P]

Installing a certificate

Assuming you've done everything above, you can install a certificate from letsencrypt with the following instructions:

Step 1 - Install Certbot

The part of the documentation that I read was silent about where to put the certbot-auto script. I decided to install certbot-auto in /usr/local/sbin, this means that it is in the system path and can be run as a command by itself (which feels nicer than needing to be in the folder when running the script).

cd /usr/local/sbin/
sudo wget https://dl.eff.org/certbot-auto
sudo chmod a+x certbot-auto

Step 2 - Request a certificate against the /var/www/letsencrypt 

Now you can easily request a certificate.

Note the use of --webroot in the command below, this ensures that the challenge information is added to the /var/www/letsencrypt folder. Also, I precede the command with sudo because installation of the actual certificates requires admin privileges.

sudo certbot-auto certonly --webroot -w /var/www/letsencrypt -d myproject.example.com

Expected response
If everything was done properly you'll get a message like this:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/myproject.example.com/fullchain.pem.
   Your cert will expire on 2016-11-25. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"

Step 3 - Configuring Auto-renewal of certificates

Once setup properly the auto renewal steps that I took were near identical to the documentation.
I first tested to see that an auto renewal would work without issue:

certbot-auto renew --dry-run

Once the dry run was succesfull I added a renewal command as a cronjob using the crontab -e command:

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
@monthly certbot-auto renew --quiet --no-self-upgrade

Additional notes

I've read places that say that mod_alias always get's precedence over mod_rewrite, so I tried to achieve this using mod_alias initially. That didn't work for me so I settled on this approach.