Let’s Encrypt SSL certificate without root or sudo privileges

Five days ago we had to renew a number of SSL certificates using free Let’s Encrypt SSL authority to a few Apache servers which were installed in Jelastic PaaS environment. The Apache servers were installed in an environment where:

  1. We did have SSH access.
  2. We did not have any root privileges or sudo command permission.
  3. The SSH access was done using a limited apache user.
  4. The underlying operating system was CentOS release 6.6 (Final) . (found out about it by running: cat /etc/centos-release)

Thus we could not use the official Let’s Encrypt client as it requires root privileges. After 3 hours of searching and striving to use multiple client implementations, we stumbled upon letsencrypt.sh. With the guidance of a tutorial written in German!! we finally managed to create our SSL certificates. So today, at last, we will show you how!!!

In this example, we assume that our domain name is bobos.org. We want to create a certificate for bobos.org and www.bobos.org. Note that Let’s Encrypt does not generate wildcard certificates yet!!.

Prerequisites

  1. No root access or sudo is required.
  2. We Obtain an A record for bobos.org and http://www.bobos.org which points to the IP of the server you are using.
  3. Inside the aforementioned server we have to run a web server which listens to port 80. Listening to port 443 is optional.
  4. Shell access to the server.

If you want to have a thourough understanding of why we are going to perform the following steps, you can refer to How it works official article. Few! It is high time we started. Shall we?

  1. Know thy environment.
  2. Clone letsecrypt.sh script.
  3. Configure the script.
  4. Configure your web server.
  5. Run the script.
  6. Find the certificates.
  7. Configure your web server to use the certificates
  8. Upload SSL certificates to Jelastic Administration Panel
  9. Reload or restart web server and test configuration

Know thy environment

After login via SSH we are in /var/www/ directory:

apache@apache2 ~ $ pwd
/var/www

Then we check CentOS version, because we can!

apache@apache2 ~ $ cat /etc/centos-release 
CentOS release 6.6 (Final)

Clone letsecrypt.sh script

While being in that directory we clone letsencrypt.sh:

apache@apache2 ~ $ git clone https://github.com/lukas2511/letsencrypt.sh.git
Cloning into 'letsencrypt.sh'...
remote: Counting objects: 873, done.
remote: Total 873 (delta 0), reused 0 (delta 0), pack-reused 873
Receiving objects: 100% (873/873), 223.44 KiB | 0 bytes/s, done.
Resolving deltas: 100% (530/530), done.
Checking connectivity... done.
apache@apache2 ~ $ chown -R apache:apache letsencrypt.sh
apache@apache2 ~ $ cd letsencrypt.sh
apache@apache2 ~ $ pwd
/var/www/etsencrypt.sh

Configure the script

Then, we have perform a little configuration so the script is aware of our environment and the domains for which we want to generate free SSL certificates:

  1. Prepare base and conf directories:
    apache@apache2 ~/letsencrypt.sh $ mkdir conf 
    apache@apache2 ~/letsencrypt.sh $ mkdir base
    apache@apache2 ~/letsencrypt.sh $ cp config.sh.example conf/config.sh
    apache@apache2 ~/letsencrypt.sh $ cp domains.txt.exampleconfig.sh.example conf/domains.txt
    
  2. Edit configuration in /var/www/letsencrypt.sh/conf/config.sh:
    CONFIG_D="/var/www/letsencrypt.sh"
    BASEDIR="/var/www/letsencrypt.sh/base"
    WELLKNOWN="${BASEDIR}/.acme-challenges"
    CONTACT_EMAIL="aValidEmail@whateverServer.com"
    
  3. Add the domain names in /var/www/letsencrypt.sh/conf/domains.txt“`:
    bobos.org www.bobos.org
    

Configure your web server

Now we have to put the following lines in your site’s special apache conf i.e. /etc/httpd/sites-available/bobos.conf or in /etc/httpd/conf/httpd.conf. This will help Let’s Encrypt to access your server, perform domain validation and perform some challenges in order to generate our SSL certificate.

Alias /.well-known/acme-challenge /var/www/letsencrypt.sh/base/.acme-challenges

<Directory /var/www/letsencrypt.sh/base/.acme-challenges>
        Options None
        AllowOverride None
        Order allow,deny
        Allow from all
</Directory>

Run the script

apache@apache2 ~/letsencrypt.sh $ ./letsencrypt.sh --config /var/www/letsencrypt.sh/conf/config.sh -c
# INFO: Using main config file /var/www/letsencrypt.sh/conf/config.sh
# INFO: Using additional config file /var/www/letsencrypt.sh/conf/config.sh
Processing bobos.org with alternative names: www.bobos.org
 + Signing domains...
 + Creating new directory /var/www/letsencrypt.sh/base/certs/bobos.org ...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for bobos.org...
 + Requesting challenge for www.bobos.org...
 + Responding to challenge for bobos.org...
 + Challenge is valid!
 + Responding to challenge for www.bobos.org...
 + Challenge is valid!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!

Find the certificates

The certificates are created in $BASE/certs// directory:

apache@apache2 ~/letsencrypt.sh $ ls -l base/certs/bobos.org/
total 20
-rw------- 1 apache apache 1655 Jul  7 06:49 cert-1457333387.csr
-rw------- 1 apache apache 2143 Jul  7 06:49 cert-1457333387.pem
lrwxrwxrwx 1 apache apache   19 Jul  7 06:50 cert.csr -> cert-1457333387.csr
lrwxrwxrwx 1 apache apache   19 Jul  7 06:50 cert.pem -> cert-1457333387.pem
-rw------- 1 apache apache 1675 Jul  7 06:50 chain-1457333387.pem
lrwxrwxrwx 1 apache apache   20 Jul  7 06:50 chain.pem -> chain-1457333387.pem
-rw------- 1 apache apache 3818 Jul  7 06:50 fullchain-1457333387.pem
lrwxrwxrwx 1 apache apache   24 Jul  7 06:50 fullchain.pem -> fullchain-1457333387.pem
-rw------- 1 apache apache 3243 Jul  7 06:49 privkey-1457333387.pem
lrwxrwxrwx 1 apache apache   22 Jul  7 06:50 privkey.pem -> privkey-1457333387.pem

Configure your web server to use the certificates

Configure Apache in order to use the created certificates. It might by your site's special conf i.e. /etc/httpd/sites-available/bobos.conf or global /etc/httpd/conf/httpd.conf:

SSLEngine On
SSLCertificateFile      /var/www/letsencrypt.sh/base/certs/bobos.org/cert.pem
SSLCertificateKeyFile   /var/www/letsencrypt.sh/base/certs/bobos.org/privkey.pem
SSLCertificateChainFile /var/www/letsencrypt.sh/base/certs/bobos.org/chain.pem
SSLCACertificateFile    /var/www/letsencrypt.sh/base/certs/bobos.org/fullchain.pem
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

IMPORTANT NOTE!! The previous configuration will not work in Jelastic Paas environment, as it forces us to add the certificates via Jelastic Administration Panel. Jelastic puts the certificates to /var/lib/jelastic/SSL.

SSLEngine on

SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

SSLCertificateFile /var/lib/jelastic/SSL/jelastic.crt
SSLCertificateKeyFile /var/lib/jelastic/SSL/jelastic.key
SSLCACertificateFile /var/lib/jelastic/SSL/jelastic-ca.crt

Upload SSL certificates to Jelastic Administration Panel

Then we have to upload SSL certificates to Jelastic Administration Panel. To achieve that you can use this guide. Otherwise (i.e. putting files via SSH) it will not work.

Reload or restart web server and test configuration

Finally we reload sudo /etc/init.d/apache2 reload or restart (sudo /etc/init.d/apache2 restart) Apache web server and verify that https://bobos.org works.

That is all folks! Greetings from a hot and striving for the best Greece!

Advertisements

About cmanios

programming
This entry was posted in Apache, HTTP, Linux and tagged , , , , , , , , , , , , , . Bookmark the permalink.

2 Responses to Let’s Encrypt SSL certificate without root or sudo privileges

  1. Terry Riegel says:

    Except you were able to restart apache… that requires root privledges.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s