====== Let's Encrypt Free SSL Certificates ======

See also **[[internet:security:ssl_cert_letsencrypt_zimbra|Using LetsEncrypt SSL Certificates with Zimbra]]**

**Home Page**: https://letsencrypt.org/certificates/

**Documentation**: https://certbot.eff.org/all-instructions/

**Webmin**: https://doxfer.webmin.com/Webmin/Let's_Encrypt

===== DNS =====

CAA records authorize SSL certificate issuance by certain certificate authorities.

For Virtualmin managed domains, manually enter something like:

<file>
hostname.domain.tld.	IN	CAA	0 issue "letsencrypt.org"
</file>

===== SSL Certificate Testing =====

**Test Your Certs**: https://www.digicert.com/help/

  * **Free** new service with goal of 100% HTTPS for web traffic
    * By the non-profit Internet Security Research Group (ISRG)
  * **Trusted** by most all browsers
    * Currently due to cross-signing by IdenTrust
    * Let’s Encrypt Authority X3 (issuer)
    * DST Root CA X3 (IdenTrust cross-signing CA chain certificate)
  * **SAN** certificates
    * Add multiple **Subject Alternative Names**

===== Microsoft Windows =====

==== Certify the Web ====

**Home**: https://certifytheweb.com/

**Single**: https://support.centrestack.com/hc/en-us/articles/360010229973-Obtaining-a-Server-Certificate-from-Let-s-Encrypt-Using-Certify-The-Web

**Wildcard**: https://support.centrestack.com/hc/en-us/articles/360010235053-Obtaining-a-Wildcard-Certificate-from-Let-s-Encrypt-Using-Certify-The-Web

==== win-acme ====

**Home**: https://github.com/PKISharp/win-acme/wiki/Basic-usage

**How to Run**: https://github.com/PKISharp/win-acme/wiki/How-to-Run

This is a simple CLI tool that automates a great deal while allowing for numerous configurations.

This script is still under heavy development.

===== Microsoft Exchange =====

**Exchange 2016 HowTo**: https://www.netometer.com/video/tutorials/How-to-Install-LetsEncrypt-Certificate-in-Exchange-Server/

**Exchange 2016 HowTo**: https://mediarealm.com.au/articles/lets-encrypt-microsoft-exchange-installation/

===== Apache =====

:!: Make sure the site works as desired before attempting to acquire a LetsEncrypt cert!

==== ServerAlias ====

If you need to add a SAN (Subject Alternative Name) to a LetsEncrypt cert, you first have to make the web server serve that SAN.  One way is to add a ''ServerAlias'' to the site's Apache configuration file:

**Virtualmin -> <vserver> -> Services -> Configure Website -> Edit Directives**

or edit ''/etc/apache2/sites-available/yourdomain.tld.conf'', adding:

<file>
ServerAlias desiredalias.yourdomain.tld
</file>

:!: With LetsEncrypt, it's currently difficult to add the SAN **and** redirect it to a folder.  Here we just redirect it 

===== Ubuntu 16.04 =====

==== Apache ====

:!: This will install Apache if not already installed.

https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04

https://certbot.eff.org/lets-encrypt/ubuntuxenial-apache

<file>
apt-get update && apt-get -y install software-properties-common
add-apt-repository ppa:certbot/certbot
apt-get update && apt-get -y install python-certbot-apache
</file>

==== Renewal ====

<file>
certbot renew --dry-run
</file>

===== Virtualmin =====

:!: Make sure the site works as desired before attempting to acquire a LetsEncrypt cert!

Virtualmin supports Let's Encrypt SSL certificates for hosted virtual servers.

  - **Edit** the desired virtual server
    - **Enable SSL**
  - **Request** a Let's Encrypt certificate

**Virtualmin -> <domain> -> Edit Virtual Server -> Apache SSL website -> Enable -> Save**

**Virtualmin -> <domain> -> Server Configuration -> Manage SSL Certificate -> Let's Encrypt**

==== mail.domain.tld ====

https://www.virtualmin.com/comment/785483#comment-785483

===== Webmin =====

<note important>Webmin works well with Apache and HTTP validation.  However, you can also use DNS validation if you don't have Apache installed and you don't want to open ports 80 and 443 in the firewall.  However, DNS validation is not documented well here, particularly renewals.</note>

==== DNS ====

https://serverfault.com/questions/750902/how-to-use-lets-encrypt-dns-challenge-validation

https://certbot.eff.org/docs/using.html#manual

:!: Add this for testing: <file>--staging</file>

<file>
apt install certbot

certbot -d hostname.yourdomain.tld --manual --preferred-challenges dns certonly

certbot renew --dry-run

certbot certificates
</file>

==== HTTP ====

**Documentation**: https://doxfer.webmin.com/Webmin/Let's_Encrypt

**More Info**: http://webmin.com/ssl.html

Webmin also supports Let's Encrypt SSL certificates.

**Webmin -> Webmin -> Webmin Configuration -> SSL Encryption -> Let's Encrypt**

{{ :internet:security:letsencrypt_webmin_request.png?750 |Request a Let's Encrypt Cert}}

{{ :internet:security:letsencrypt_webmin_success.png?750 |Successful}}

{{ :internet:security:letsencrypt_webmin_ssl_settings.png?750 |Resultant Webmin SSL Settings}}

===== Log Rotation =====

:!: Certbot has its own log rotation.

**/etc/logrotate.d/letsencrypt**

<file>
/var/log/letsencrypt/letsencrypt.log {
  daily
  rotate 0
  firstaction
    /usr/bin/find /var/log/letsencrypt/ -name "letsencrypt.log.*" -mtime +100 -delete
  endscript
  nocreate
  missingok
  notifempty
}
</file>

Test:

<file>
ll /var/log/letsencrypt/   #before
logrotate -f /etc/logrotate.d/letsencrypt
ll /var/log/letsencrypt/   #after
</file>

===== Troubleshooting =====

**Remove scheduled task and registry key** (HKEY_LOCAL_MACHINE\Software\letsencrypt-win-simple), then perform an ''iisreset'' as an administrator.

Increase verbosity: <file>--verbose</file>