Letsencrypt Webroot Authentication Tested on Beta invited/whitelisted domain


#1

Thanks for approving my beta application.

I tested Letsencrypt Webroot Authentication on my CentOS 6.7 server and it works nicely for fully browser trusted SSL certificate on my CentminMod LEMP stack Nginx 1.9 HTTP/2 enabled web server https://community.centminmod.com/posts/19914/ :slight_smile:

FYI, CentOS/RHEL 6.x users need Python 2.7 Redhat / CentOS 6.x users need python 2.7

What is Letsencrypt Webroot Authentication ?

Authenticator plugin that performs SimpleHTTP challenge by saving necessary validation resources to appropriate paths on the file system. It expects that there is some other HTTP server configured to serve all files under specified web root

It was born out of the awesome work Kuba did with creating the simplefs plugin which was later renamed to webroot authentication. In laymen terms, webroot authentication is an alternate way to obtain letsencrypt ssl certificates and pass the SimpleHTTP challenge by following these steps

  1. create a HTTPS base site before hand using self signed ssl certificate on apache or nginx - this site will have a public web root. This site domain also needs valid working DNS pointing to the server IP
  2. run letsencrypt webroot authentication method and pass your email address AND that site’s public web root path to the command you run - this will perform automatically the the .well-known uri creation on the defined web root validating the domain you want the ssl certificate for

On my Centmin Mod LEMP stack, you can auto generate a Nginx vhost with http and https vhost conf files via centmin.sh menu option 2 (shell based menu) or via nv command line argument.

vhostname='le1.http2ssl.xyz'
nv -d ${vhostname} -s y -u MYFTPUSERNAME

This would produce a web root path at /home/nginx/domains/${vhostname}/public which is passed on command line for Letsencrypt client’s webroot authentication mode

vhostname='le1.http2ssl.xyz'
/root/.local/share/letsencrypt/bin/letsencrypt --server https://acme-v01.api.letsencrypt.org/directory --renew-by-default -a webroot --webroot-path /home/nginx/domains/${vhostname}/public --email example@example.org --text --agree-tos --agree-dev-preview -d ${vhostname} auth

You’ll end up with Letsencrypt SSL certificate where Nginx uses the fullchain.pem at /etc/letsencrypt/live/le1.http2ssl.xyz/fullchain.pem:

IMPORTANT NOTES:
 - If you lose your account credentials, you can recover through
   e-mails sent to example@example.org.
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/le1.http2ssl.xyz/fullchain.pem. Your cert
   will expire on 2016-01-25. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.

Not A+ as I have HSTS disabled as I test on both http and https usually.

Nginx 1.9.6 HTTP/2 enabled web server compiled against LibreSSL 2.2.4

nginx -V
nginx version: nginx/1.9.6
built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
built with LibreSSL 2.2.4
TLS SNI support enabled
configure arguments: --with-ld-opt=’-lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib’ --with-cc-opt=’-m64 -mtune=native -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations -Wno-unused-parameter -Wno-unused-const-variable -Wno-conditional-uninitialized -Wno-mismatched-tags -Wno-c++11-extensions -Wno-sometimes-uninitialized -Wno-parentheses-equality -Wno-tautological-compare -Wno-self-assign -Wno-deprecated-register -Wno-deprecated -Wno-invalid-source-encoding -Wno-pointer-sign -Wno-parentheses -Wno-enum-conversion’ --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_stub_status_module --with-http_secure_link_module --with-openssl-opt=enable-tlsext --add-module=…/nginx-module-vts --with-libatomic --with-threads --with-stream --with-stream_ssl_module --with-http_gzip_static_module --add-module=…/ngx_pagespeed-release-1.9.32.10-beta --with-http_sub_module --with-http_addition_module --with-http_image_filter_module --with-http_geoip_module --with-http_realip_module --add-module=…/nginx-accesskey-2.0.3 --add-module=…/nginx-http-concat-master --add-module=…/ngx-fancyindex-ngx-fancyindex --add-module=…/ngx_cache_purge-2.3 --add-module=…/ngx_devel_kit-0.2.19 --add-module=…/set-misc-nginx-module-0.29 --add-module=…/echo-nginx-module-0.58 --add-module=…/redis2-nginx-module-0.12 --add-module=…/ngx_http_redis-0.3.7 --add-module=…/lua-nginx-module-0.9.16 --add-module=…/lua-upstream-nginx-module-0.03 --add-module=…/lua-upstream-cache-nginx-module-0.1.1 --add-module=…/nginx_upstream_check_module-0.3.0 --add-module=…/openresty-memc-nginx-module-4f6f78f --add-module=…/openresty-srcache-nginx-module-ffa9ab7 --add-module=…/headers-more-nginx-module-0.261 --with-pcre=…/pcre-8.37 --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-openssl=…/libressl-2.2.4


Using the webroot domain verification method
Elementary Procedure
Will/does the letsencrypt client create a cert chain usable with OCSP stapling?
Error: unauthorized :: The client lacks sufficient authorization :: Error creating new authz :: Name is not whitelisted
Using letsencrypt beta client with manual tls
Disable creating vhost
Is the webroot plugin's sub-directory consistent?
Letsencrypt asks for root password? Where to find good client documentaion?
Getting Bad Vibes
Python Error..?
#2

@eva2000, thanks for all your help on the forum and congratulations on your successful certificate issuance! I’m glad it’s working for you.


#3

thanks @schoen - very grateful to Kuba too - the webroot authentication IMHO is the best way for non-standard web servers to easily work with Letsencrypt for obtaining an SSL certificate as it’s alot easier to get the web server/distro user’s to come up with their own scripted https vhost generation before hand :smile:

All webroot authentication plugin needs now is multi-domain/SANs support :slight_smile: Maybe this suggestion https://github.com/letsencrypt/letsencrypt/pull/757#issuecomment-142507415

for multiple names, maybe allow multiple --webroot-path in an array and then if multiple -d nameXX are specified cycle through the --webroot-path array to check against the -d name XX values ?


30, 60, 90 days automating SSL renewal?
#4

Trying multi domain SAN SSL certificate via webroot authentication on CentminMod LEMP stack’s Nginx at https://community.centminmod.com/posts/20018/. Thanks to @Leliana for the idea Using the webroot domain verification method :slight_smile:

Of course some minor improvements suggested at https://github.com/letsencrypt/letsencrypt/issues/1260





Multi domain (SAN) certificate and webroot auth
Allow customizing the common name for SAN certificates
Domain name order
Multiple domains in config file (cli.ini)
What is the recommended Way to register for nginx proxy certs
#5

My latest progress with Letsencrypt webroot authentication integration into my CentminMod.com LEMP web stack https://community.centminmod.com/posts/20509/ - full automation of Letsencrypt SSL certificate deployment via my nginx vhost generator :smiley:

centmin.sh menu options via shell

 --------------------------------------------------------
Centmin Mod 1.2.3-eva2000.09 - http://centminmod.com
--------------------------------------------------------
                   Centmin Mod Menu                   
--------------------------------------------------------
1).  Centmin Install
2).  Add Nginx vhost domain
3).  NSD setup domain name DNS
4).  Nginx Upgrade / Downgrade
5).  PHP Upgrade / Downgrade
6).  XCache Re-install
7).  APC Cache Re-install
8).  XCache Install
9).  APC Cache Install
10). Memcached Server Re-install
11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
12). Zend OpCache Install/Re-install
13). Install ioping.sh vbtechsupport.com/1239/
14). SELinux disable
15). Install/Reinstall ImagicK PHP Extension
16). Change SSHD Port Number
17). Multi-thread compression: pigz,pbzip2,lbzip2...
18). Suhosin PHP Extension install
19). Install FFMPEG and FFMPEG PHP Extension
20). NSD Re-install
21). Update - Nginx + PHP-FPM + Siege
22). Add Wordpress Nginx vhost + WP Super Cache
23). Update Centmin Mod Code Base
24). Exit
--------------------------------------------------------
Enter option [ 1 - 24 ] 2
--------------------------------------------------------

and nginx vhost command line wizard

---------------------------------------------

Enter vhost domain name to add (without www. prefix): le10.http2ssl.xyz

Create a self-signed SSL certificate Nginx vhost? [y/n]: y

To get Letsencrypt SSL certificate, you must already have updated intended
domain vhost name's DNS A record to this server's IP addresss.
If top level domain, DNS A record is needed also for www. version of domain
otherwise, Letsencrypt domain name validation will fail.


le10.http2ssl.xyz is not a top level domain
your server IP address: 104.152.214.220
current DNS A record IP address for le10.http2ssl.xyz is: 104.152.214.220

Abort this Nginx vhost domain setup to setup proper DNS A record(s) first? [y/n]: n
Obtain Letsencrypt Free SSL certificate (90 day expiry / renew every 60 days) ? [y/n]: y


Support for ports other than 80 and 443
#6

Official site outline of my Centmin Mod LEMP stack’s LE integration http://centminmod.com/letsencrypt-freessl.html :sunglasses:


#7

Still working on Letsencrypt integration into my Centmin Mod LEMP stack installer. Just started testing my Wordpress auto installer routine which now adds Letsencrypt SSL support. So you can auto install Wordpress + WP Plugins + Nginx HTTP/2 SSL via Letsencrypt altogether https://community.centminmod.com/posts/21328/ :slight_smile:


What is the recommended Way to register for nginx proxy certs