Letsencrypt's free SSL certificate offering has been a great service to the Internet community and especially to those who ran small websites for personal or family use without being able to afford the prohibitive SSL certificates offered by big name providers. We only hope that a similar route will be made for domain name registration as lately registrars have turned domain registration to highway robbery!
The purpose of this quick write-up is to show you how you can take advantage of Letsencrypt's free SSL certificate offering for your pfSense firewall/gateway, Apache Web server, Webmin, SABnzbd news downloader and Citadel Mail; five products that most small-scale sites use for personal or family oriented data sharing and communications.
But first, let's see how we setup a Letsencrypt account and get certificates made for our sites.
To do that using your favorite web browser go to letsencrypt.org and click on the large button labeled Getting Started. That will take you to a page that explain the different ways you can get interaction with Letsencrypt and get your domain name ownership verified. Here we will assume that you have a few servers with a few different domain names all sitting behind a NAT firewall with a single public IP address. We will also assume that you have SSH access to your server(s). therefore, we will focus on the section of the Getting Started document covering shell access. To that end we will need to pick a Certbot ACME client. Letsencrypt suggests the one made by Electronic Frontier Foundation (EFF) which is fine by us. Alternatively you can pick a different ACME client here.
To install EFF's Certbot ACME client you can find instructions here according to your computer's operating system.
The following tutorial shows how to install it on Linux Mint, Ubuntu or any other Debian derivative. Basically you will be running a typical command like the one below:
./path/to/certbot-auto certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.is -d m.thing.is
In our practical case, we assume that our domain name is bailey.net and our single server that runs Webmin, Apache, Citadel Mail and SABnzbd is called beetle resulting in a fully qualified domain name of beetle.bailey.net. We also assume that our pfSense firewall/gateway is simply called pfsense.bailey.net.
As we request our SSL certificate from Letsencrypt, we will make a single run with the following command so that our certificate actually covers everything we need:
~/letsencrypt/letsencrypt-auto --config /etc/letsencrypt/cli.ini -d bailey.net -d www.bailey.net -d pfsense.bailey.net -d beetle.bailey.net certonly
(Our Letsencrypt client being a bit old its name is letsencrypt-auto. Newer versions are called certbot-auto.)
Our cli.ini file (used above) contains the following information:
authenticator = webroot webroot-path = /var/www/html server = https://acme-v01.api.letsencrypt.org/directory renew-by-default agree-tos email = email@example.com
Alternatively you could run the following command (assuming that certbot-auto was installed in the ~/letsencrypt directory) which omits the use of cli.ini file:
~/letsencrypt/certbot-auto certonly --webroot -w /etc/letsencrypt/live/bailey.net -d bailey.net -d www.bailey.net -d pfsense.bailey.net -d beetle.bailey.net
After a few minutes of data crunching, if everything is ok with our cli.ini file and our public internet facing plain vanilla web server is properly accessible by Letsencrypt's remote prober, there will be a message saying that everything went well and your SSL certificate is stored under bailey.net (/etc/letsencrypt/live/bailey.net). There you should see 4 files named cert.pem, chain.pem, privkey.pem, fullchain.pem. All of them are text files that can be read with a text editor.
Now in no particular order:
pfSense should be used with HTTPS enabled especially if it is going to be accessible from the WAN side. Thankfully, switching it to HTTPS is a snap through its menu selections. Adding a valid SSL certificate is also very easy, but rather than copying the files into its file system, we will have to cut and paste into its interactive windows. This is for file system integrity and although we know where the certificate files locate and accessed, we prefer to abide by the software designers pathway. So, to enter our certificate information we need two things, 1) the key file content and the full chain certificate content that we can easily get from privkey.pem and fullchain.pem as these are all text files as you probably know by now.
Citadel Mail's SSL certificates are located in two places, one for the integrated web server called webcit (/etc/ssl/webcit) and one for the actual eMail server Citadel (/etc/ssl/citadel). Both locations require that the key portion of the SSL certificate is put in a file called citadel.key and the certificate part in a file named citadel.cer. Further the certificate part needs to be a full chain of trust as opposed to just the base certificate part. Therefore, we would actually copy fullchain.pem received from Letsencrypt into citadel.cer and privkey.pem into citadel.key, and this for both the email server (/etc/ssl/citadel) and web server (/etc/ssl/webcit) locations.
Webmin's own web server requires a certificate that can be entered through the interactive webmin pages. For that, browse to your computer's webmin page (most likely something like http(s)://myserver.com:10000), then navigate to Webmin > Webmin Configuration page by clicking on the selectors on the top left corner of the Webmin access page. Once there, click on the icon named SSL Encryption to get to the page where the certificate files are identified for Webmin's own web server use. Of all the entries shown only three need to be adjusted; 1) Private key file, 2) Certificate file, and 3) Additional certificate files for chained certificates. Typically we enter the full local storage path for privkey.pem in 1, cert.pem in 2, and fullchain.pem in 3. After saving our adjustments, restarting Webmin and signing into it from a new instance of a web browser (to ensure that the internal cache is flushed) does the trick.
Apache Web Server is most easily managed through Webmin, and we will setup its SSL certificated via Webmin's Apache management pages. For that, browse to your computer's webmin page (most likely something like http(s)://myserver.com:10000), then navigate to Servers > Apache Webserver page by clicking on the selectors on the top left corner of the initial Webmin page. Once on the Apache page, under the Existing virtual hosts tab, click on the virtual host that has port 443 assigned to it, it is your https server. That will open up the Virtual Server Options page where you will find the SSL Options icon. After clicking on the SSL Options icon you will be taken to a short page where the SSL certificate location information is entered through 1) Certificate/private key file, 2) Private key file, 3) Certificate authorities file. Enter the full path of the file cert.pem for 1, full path of privkey.pem for 2, and full path of fullchain.pem for 3. Then save your modifications and restart the Apache web server. Login from a new browser tab so that no cached data is used and verify that your site is secured with your Letsencrypt SSL certificate.
SABnzbd is an NNTP downloader which behaves as a local web server for its users. It can be secured with SSL. For that start sabnzbd from your desktop menu. It will automatically open up a web browser page and point to the internal sabnzbd web server page. Login and go to Config (top menu bar to the left). It will open to a page where many sabnzbd system parameters can be set. On the left of the window select General. It will bring up the web server settings including the SSL certificate storage location. Under HTTPS Support ensure that 1) HTTPS Certificate is set to the full path of the locally stored file cert.pem, 2) HTTPS Key is set to the full path of the locally stored file privkey.pem and 3) HTTPS Chain Certificates is set to the full path of the locally stored file fullchain.pem. Then save and restart sabnzbd. Login from a new web browser tab as admin and check to see that the new SSL certificate is in use by sabnzbd's built in web server.
© Copyright 1991-2019 – cilicia.us & The Cilician Gazette – All rights reserved