For those of you who haven’t heard about the Let’s Encrypt project, I recommend you check them out here.. It’s a great idea to automate the process of requesting and installing website certificates. Not to mention, they are free! Encryption by default. I’m using their certificate for this blog site as well as others and was very happy to move off my self signed OpenSSL certificate.
The commands from a Linux Apache server to get these requested and staged were pretty basic..
sudo apt-get install git
Download / stage files:
git clone https://github.com/letsencrypt/letsencrypt
Once you get through installation I was able to stop the apache service and run this commend to begin choosing common names and issuing certificates.
sudo -H ./letsencrypt-auto certonly –standalone -d mail.domain.com -d autodiscover.domain.com -d mail.domain2.com -d autodiscover.domain2.com
I was amazed how easy it was. The certificates were downloaded to a folder location like this:
I copied the chain and cert from here and manually configured for Apache. It sounds like there is an automated mothod too, but I have yet to get that far. I was just happy to get a free cert. Anyone else try this yet?
****Update 20160120: I didn’t realize until just last night that these certificates are only valid for 90 days!? So the need for an automated renewal process is really more of a requirement. Perhaps writing a Cron job that will run the above request command, stop the Apache service, replaced the cert files, and start the Apache service…?
Also, I did setup a Linux VM without Apache installed for use only with Let’s Encrypt. I was able to create a new certificate by temporarily forwarding TCP 443 traffic to this VM (just for the minute or so it took to request the cert) for the requested domain alias and got one generated. Afterward I used an OpenSSL command to convert the chain, cert, and key files from PEM format to a PFX which was easily imported to Windows. I had installed SAMBA as an easy way of getting files off the Linux box. I am using this cert now for a lab Exchange 2013 server. Working great. Only downside is that there really isn’t a way to automate that process. I did run across a Powershell supported method of getting this done, but it didn’t exactly look straightforward. I’ll post about it when I get a chance to test.
Here is the OpenSSL command I used:
sudo openssl pkcs12 -export -out tylerlifemail.pfx -inkey /SAMBA_Share/privateKey.pem -in /SAMBA_Share/cert.pem -certfile /SAMBA_Share/fullchain.pem
Thanks for reading.