Tutorial - Certbot Cloudflare DNS with Apache Web Servers on Ubuntu 16.10


#1

Hi All

If you follow the Github you will notice a bunch of new auhtenticators around DNS Service providers based on the Python DNS Lexicon concept.

If you follow the github project closely you will see the status and progress of this project

The purpose of this guide is to introduce these and work around some of the issues and possible approaches.

As always this is a guide not the gospel so learn from it and feel free to contribute.

A) Obtaining Certbot-Apache on Ubuntu 16.10
B) Packaging - No Native Packages for Ubuntu?
C) Installing With Python using PIP
D) Creating .INI Config
E) Testing Plugin Part 1 - Simple Certificate obtained via certonly
F) Testing Plugin Part 2 - Complex Example - SAN with Apache Installer - Setup
G) Testing Plugin Part 3 - Complex Example - SAN with Apache Installer Testing Post Install
H) Areas of work/improvement

Andrei


Which DNS Providers have public APIs To Allow Automation of DNS-01 Challenge
CloudFlare CDN and Heroku ACM (or similar)
Renewing certificate on an unreachable/private server
Domains/Subdomains - two different machines
Letsencrypt, nodeJS and cloudflare
CloudFlare CDN and Heroku ACM (or similar)
Simplifying Renewals by Using DNS Based Challenges
Chicken/Egg problem setting up new server/domain
I just need to download certs (already registered them) but give me error
#2

Part 1: Obtain Certbot-Apache for Ubuntu 16.10

My VPS provider gave me a Ubuntu 16.10 instance which I updated to a recent version of Apache (2.4.18)

Following the instructions from the certbot homepage:

Running certbot plugins to confirm what plugins are available to us, shows the apache, standalone and webroot plugins (as expected)

Andrei


#3

Part 2: Packaging - No Native Packages for Ubuntu?

I re-ran apt-get update to ensure that there weren’t sync issues and check the the available plugins in the repository.

A review of one of the issues seems to indicate this is in line with the current status of these plugins

Andrei


#4

Part 3: Installing With Python using PIP

The first bit to figure is which python interpreters are installed as this will be relevant later

On Ubuntu the command below achieved what was required however it may vary on other linux systems

running which certbot allows me to work out and which python interpreter is being used

a review of the available python pip installers also show me I should be using pip3 command

running pip3 install certbot-dns-cloudflare installs the package into the python environment

I can then confirm that the plugin is available via the command certbot plugins

To verify the functioning we call also install the google-dns installer using the same method

pip3 install certbot-dns-google

Confirmation:

Andrei


#5

Part 4 - Creating .INI Config File

A review of the documentation shows that we need to provide a INI file with the authenticator. https://certbot.eff.org/docs/using.html

I created the .INI file under /etc/letsencrypt as that made the most sense at the time.

There are some instructions on how to deal with these files and syntax needed

https://github.com/certbot/certbot/blob/master/certbot-dns-cloudflare/certbot_dns_cloudflare/init.py

Essentially the INI File Needs two paramaters (cloudflare email and an API key which needs to be obtained from cloudflare). Example content (from init.py documentation)

dns_cloudflare_email = cloudflare@example.com
dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567

Andrei


#6

Part 5 - Testing Plugin - Simple Certificate obtained via certonly

Obtaining the certificate without installing it is a pretty straight forward process. This plugin does a good job of providing friendly feedback if your parameters are not correct.

Command:

certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d simplecloudflare.firecube.xyz

Result of a Run:

Explanation of Error Message:

From the init.py file in the plugin

Certbot will emit a warning if it detects that the credentials file can be
accessed by other users on your system. The warning reads “Unsafe permissions
on credentials configuration file”, followed by the path to the credentials
file. This warning will be emitted each time Certbot uses the credentials file,
including for renewal, and cannot be silenced except by addressing the issue
(e.g., by using a command like chmod 600 to restrict access to the file).

As I did not follow this when I created the .INI file the messages persists.

Andrei


DNS Api on Ubuntu 16.04 does does dns server matter?
#7

Part 6 - Complex Example - SAN with Apache Installer - Setup

In order to perform the complex example: certbot-dns-cloudflare as the authenticator and apache as the installer we need to do some prep work first.

Confirm path of previously created certificate

We will use this certificate for the binding instead of a self signed one as it’s quicker

Create VHOST Files (One for HTTP and one for HTTPS):

Create DNS Records:

Confirm Functioning of website before running command:

HTTP not Redirected to HTTPS

Incorrect HTTPS Certificate in Use

Andrei


How to make certificat for domain with different IPs?
#8

Part 7 - Complex Example - SAN with Apache Installer Testing Post Install

command to perform the installation and obtaining of new certificate

certbot --authenticator dns-cloudflare --installer apache --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d complexcloudflare.firecube.xyz -d hardcloudflare.firecube.xyz

I chose to add re-directs as part of the install dialog

Post Install VHOST Config Files (with changes outlined):

Website confirmation:

Andrei


#9

Areas of work/improvement

Where to store the INI file -

@bmw @schoen - are there any recommendations as to where to store the INI file for security? The init.py file has a suggestion. ~/.secrets/certbot/cloudflare.ini is this a universal linux or for specific distros.

The CMOD command works to remove the error messages (chmod 600)

Use Staging First -

I usually recommend that you use --staging flag to ensure that you do not breach any rate limits while testing

Keep an eye for packaging announcements and availability -

While the method in this article will work for install official os packages (when available) should be used

Create staging and testing VHOST configs for testing -

While testing it would be ideal to use non production VHOST configs but this does require extra DNS records

Andrei


How can I order an SSL cert for a domain (which is used on IIS win) from my local linux machine?
#10

There is really no standard place to put INI files like this. This was just a suggestion.

For those curious about security of this process, take a look at the relevant discussion on the PR that introduced this documentation.


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.