Tutorial - Certbot Cloudflare DNS with Apache Web Servers on Ubuntu 16.10

ahaw021 · July 25, 2017, 11:36am

Hi All

If you follow the Github you will notice a bunch of new auhtenticators around DNS Service providers based on the Python DNS Lexicon concept.

If you follow the github project closely you will see the status and progress of this project

The purpose of this guide is to introduce these and work around some of the issues and possible approaches.

As always this is a guide not the gospel so learn from it and feel free to contribute.

A) Obtaining Certbot-Apache on Ubuntu 16.10
B) Packaging - No Native Packages for Ubuntu?
C) Installing With Python using PIP
D) Creating .INI Config
E) Testing Plugin Part 1 - Simple Certificate obtained via certonly
F) Testing Plugin Part 2 - Complex Example - SAN with Apache Installer - Setup
G) Testing Plugin Part 3 - Complex Example - SAN with Apache Installer Testing Post Install
H) Areas of work/improvement

Andrei

ahaw021 · July 25, 2017, 11:43am

Part 1: Obtain Certbot-Apache for Ubuntu 16.10

My VPS provider gave me a Ubuntu 16.10 instance which I updated to a recent version of Apache (2.4.18)

Following the instructions from the certbot homepage:

Running certbot plugins to confirm what plugins are available to us, shows the apache, standalone and webroot plugins (as expected)

Andrei

ahaw021 · July 25, 2017, 11:47am

Part 2: Packaging - No Native Packages for Ubuntu?

I re-ran apt-get update to ensure that there weren’t sync issues and check the the available plugins in the repository.

A review of one of the issues seems to indicate this is in line with the current status of these plugins

Andrei

ahaw021 · July 25, 2017, 12:05pm

Part 3: Installing With Python using PIP

The first bit to figure is which python interpreters are installed as this will be relevant later

On Ubuntu the command below achieved what was required however it may vary on other linux systems

running which certbot allows me to work out and which python interpreter is being used

a review of the available python pip installers also show me I should be using pip3 command

running pip3 install certbot-dns-cloudflare installs the package into the python environment

I can then confirm that the plugin is available via the command certbot plugins

To verify the functioning we call also install the google-dns installer using the same method

pip3 install certbot-dns-google

Confirmation:

Andrei

ahaw021 · July 25, 2017, 12:13pm

Part 4 - Creating .INI Config File

A review of the documentation shows that we need to provide a INI file with the authenticator. User Guide — Certbot 2.7.0.dev0 documentation

I created the .INI file under /etc/letsencrypt as that made the most sense at the time.

There are some instructions on how to deal with these files and syntax needed

github.com

certbot/certbot/blob/master/certbot-dns-cloudflare/certbot_dns_cloudflare/init.py

"""
The `~certbot_dns_cloudflare.dns_cloudflare` plugin automates the process of
completing a ``dns-01`` challenge (`~acme.challenges.DNS01`) by creating, and
subsequently removing, TXT records using the Cloudflare API.

.. note::
   The plugin is not installed by default. It can be installed by heading to
   `certbot.eff.org <https://certbot.eff.org/instructions#wildcard>`_, choosing your system and
   selecting the Wildcard tab.

Named Arguments
---------------

========================================  =====================================
``--dns-cloudflare-credentials``          Cloudflare credentials_ INI file.
                                          (Required)
``--dns-cloudflare-propagation-seconds``  The number of seconds to wait for DNS
                                          to propagate before asking the ACME
                                          server to verify the DNS record.
                                          (Default: 10)

This file has been truncated. show original

Essentially the INI File Needs two paramaters (cloudflare email and an API key which needs to be obtained from cloudflare). Example content (from init.py documentation)

dns_cloudflare_email = cloudflare@example.com
dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567

Andrei

ahaw021 · July 25, 2017, 12:19pm

Part 5 - Testing Plugin - Simple Certificate obtained via certonly

Obtaining the certificate without installing it is a pretty straight forward process. This plugin does a good job of providing friendly feedback if your parameters are not correct.

Command:

certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d simplecloudflare.firecube.xyz

Result of a Run:

Explanation of Error Message:

From the init.py file in the plugin

Certbot will emit a warning if it detects that the credentials file can be
accessed by other users on your system. The warning reads "Unsafe permissions
on credentials configuration file", followed by the path to the credentials
file. This warning will be emitted each time Certbot uses the credentials file,
including for renewal, and cannot be silenced except by addressing the issue
(e.g., by using a command like chmod 600 to restrict access to the file).

As I did not follow this when I created the .INI file the messages persists.

Andrei

ahaw021 · July 25, 2017, 12:26pm

Part 6 - Complex Example - SAN with Apache Installer - Setup

In order to perform the complex example: certbot-dns-cloudflare as the authenticator and apache as the installer we need to do some prep work first.

Confirm path of previously created certificate

We will use this certificate for the binding instead of a self signed one as it’s quicker

Create VHOST Files (One for HTTP and one for HTTPS):

Create DNS Records:

Confirm Functioning of website before running command:

HTTP not Redirected to HTTPS

Incorrect HTTPS Certificate in Use

Andrei

ahaw021 · July 25, 2017, 12:33pm

Part 7 - Complex Example - SAN with Apache Installer Testing Post Install

command to perform the installation and obtaining of new certificate

certbot --authenticator dns-cloudflare --installer apache --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d complexcloudflare.firecube.xyz -d hardcloudflare.firecube.xyz

I chose to add re-directs as part of the install dialog

Post Install VHOST Config Files (with changes outlined):

Website confirmation:

Andrei

ahaw021 · July 25, 2017, 12:44pm

Areas of work/improvement

Where to store the INI file -

@bmw @schoen - are there any recommendations as to where to store the INI file for security? The init.py file has a suggestion. ~/.secrets/certbot/cloudflare.ini is this a universal linux or for specific distros.

The CMOD command works to remove the error messages (chmod 600)

Use Staging First -

I usually recommend that you use --staging flag to ensure that you do not breach any rate limits while testing

Keep an eye for packaging announcements and availability -

While the method in this article will work for install official os packages (when available) should be used

Create staging and testing VHOST configs for testing -

While testing it would be ideal to use non production VHOST configs but this does require extra DNS records

Andrei

bmw · July 25, 2017, 6:55pm

There is really no standard place to put INI files like this. This was just a suggestion.

For those curious about security of this process, take a look at the relevant discussion on the PR that introduced this documentation.

system · August 24, 2017, 6:55pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot 0.16.0 has been released Client dev	1	1533	August 5, 2017
Certbot 0.15.0 has been released Client dev	1	1787	July 8, 2017
Certbot version 0.12.0 Client dev	1	1357	April 1, 2017
Certbot 0.20.0 Release Client dev	1	1733	January 6, 2018
Certbot Version 0.14.1 Client dev	1	1437	June 15, 2017

Tutorial - Certbot Cloudflare DNS with Apache Web Servers on Ubuntu 16.10

Part 1: Obtain Certbot-Apache for Ubuntu 16.10

Part 2: Packaging - No Native Packages for Ubuntu?

Part 3: Installing With Python using PIP

Part 4 - Creating .INI Config File

Part 5 - Testing Plugin - Simple Certificate obtained via certonly

Part 6 - Complex Example - SAN with Apache Installer - Setup

Part 7 - Complex Example - SAN with Apache Installer Testing Post Install

Related topics