Inaccurate Design

Let's Encrypt!

Tuesday, 23 August 2016

TLDR

I’ve transitioned the site to a new Let’s Encrypt certificate. If you’ve tried to access the site in the last few days and received a certificate error, that’s my fault, and it’s all fixed now!

Long version

I’ve just transitioned away from the existing COMODO certificate I’ve been using for the last year to a new Let’s Encrypt certificate. What LE is doing for the internet is great and I wanted to support them, and when I received an email about my existing certificate expiring, it provided the perfect opportunity!

One of the major selling points of LE is the ‘one-click’ setup options that they provide for self hosted servers – you can run the client, and it’ll negotiate with the CA for the certificate for hosted domains on your behalf, them help you configure your web server of choice with the new certificate. This is great, but there’s a few extra steps you have to go through if you don’t control the server – in my case, because it’s hosted out of an S3 bucket.

The basic process is:

  1. Use the certbot client to generate a ‘challenge’ key that you host in a specified location on your site.
  2. Upload the challenge to the given location (in my case, a given path in my S3 bucket)
  3. Prompt the certbot tool to continue, where it will see the challenge, confirming your control of the domain, and issue the certificates.
  4. Upload the certificates to Cloudfront and configure the distribution to use the new certs
  5. Remove the existing certs.
  6. Renewals are easier – assuming you still have the certificates locally, you can use them to renew without going through the whole challenge process again. Just re-upload the new certificates, and update the Cloudfront distribution.

I was able to script most of the process to complete automatically, and I’ll update this post with the Gitlab link after I’ve cleaned up the scripts a bit! Really the only bit I wasn’t able to entirely automate (at least, not without a bunch of text parsing that’s not worth it for a once-off task) was the upload of the challenge keys – it required a bit of manual intervention.

But the most important bit (given the 90 day expiry of the certificates) – the renewals – is all automated. The Cloudfront API isn’t fully mature yet, so a bit of JSON parsing and find-replace shenanigans were required, but it’s worth it to have the whole process automated.

I just need to remember to run the script at least once every 90 days. The next step is finding a solid way to do this automatically (i.e. on a host I can trust that’s active at least once every 30 days?)

And the reason the certs were broken? That’s easy. And stupid. When I was testing, I was running certbot with the –staging command (so it only issues dummy certs, avoiding any rate-limiting issues). When I wanted to generate an actual certificate, I removed the –staging flag – only I had the param in there twice. So I was trying to debug why on earth the Trust Chain for this dummy cert wasn’t valid.