Server Certificates with LetsEncrypt

From Bondix Wiki
Revision as of 14:36, 12 July 2023 by Sylvia (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Set up Bondix SANE Server with LetsEncrypt

To use a LetsEncrypt certificate with Bondix, you'll first need a (sub)domain that points towards your server's IP.

First, make sure that LetsEncrypt certbot is installed. To do this on Ubuntu or other debian based systems, do this:

sudo apt install certbot

Afterwards, run certbot with the argument "certonly". Cerbot will ask you how it should authenticate, and we are going to select the method of using a temporary webserver ("standalone"). There are a few follow-up questions that need to be answered, until it will eventually ask for the domain name that you would like a certificate for:

~# certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): your@email.here

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Account registered.
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): your.domain.name
Requesting a certificate for your.domain.name

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/your.domain.name/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/your.domain.name/privkey.pem
This certificate expires on 20xx-xx-xx.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Parts that need your user interaction is in bold, while text that will differ in your scenario is in italics)

We now have a certificate and keyfile. In order to tell Bondix S.A.NE server to use these certificates, we must edit the file /etc/saneserver.json

In that file, we are looking for a line that looks like this:

    {"target": "server", "action": "add-https", "host": "0.0.0.0", "port": "443", "allowMonitor": true},

We will extend this line to point towards the certificate & keyfile, like this:

{"target": "server", "action": "add-https", "host": "0.0.0.0", "port": "443", "allowMonitor": true, 
 "cert": "/etc/letsencrypt/live/your.domain.name/fullchain.pem",
 "key": "/etc/letsencrypt/live/your.domain.name/privkey.pem"},

Make sure that you are using valid JSON. Finally, restart the server via:

sudo systemctl restart bondix

Finally, test that you can reach your server under https://your.domain.name