Set-Up “Let’s Encrypt” for Hiawatha Web-Server

Google announced that starting with Chrome version 68 they will gradually mark HTTP-connections as “not secure”. “Let’s Encrypt” is a free service for web-masters to obtain certificates in an easy manner. Work on “Let’s Encrypt” started in 2014.

Setting up “Let’s Encrypt” with Hiawatha web-server is quite easy, although there are some pitfalls. I used the ArchLinux package for Hiawatha. There is also a ArchWiki page for Hiawatha.

Another detailed description is: Let’s Encrypt with Hiawatha by Chris Wadge.

1. Unpacking and production-server setting. After installing the ArchLinux package I unpacked the file /usr/share/hiawatha/letsencrypt.tar.gz. You have to edit letsencrypt.conf at three places:

ACCOUNT_EMAIL_ADDRESS = your@mail.address
HIAWATHA_CERT_DIR = {HIAWATHA_CONFIG_DIR}/tls
LE_CA_HOSTNAME = acme-v01.api.letsencrypt.org           # Production

I struggled with the last variable LE_CA_HOSTNAME. This has to be the productive “Let’s Encrypt” server. Although you might register with the testing-server, you apparently cannot do anything else with the testing-server. So delete the testing-server. The rest of the configuration file is obvious to change.

2. Configuration file. Now check your hiawatha.conf file:

Binding {
        Port = 443
        #TLScertFile = tls/hiawatha.pem
        TLScertFile = /etc/hiawatha/tls/www.eklausmeier.tk.pem
        Interface = 0.0.0.0
        MaxRequestSize = 2048
        TimeForRequest = 30
}
...
VirtualHost {
        Hostname = www.eklausmeier.tk, eklausmeier.tk, 192.168.178.24, klm.no-ip.org, klm.ddns.net, edh.no-ip.org, edh.ddns.net, klmport.no-ip.org, borussia
        ...
}

3. Run PHP script. Now go through the following two-step process:

letsencrypt register
letsencrypt request www.eklausmeier.tk

letsencrypt is actually a PHP script, so you need package php installed, regardless whether you use PHP on your web-site. The last command generates the following output:

klm@nuc ~/letsencrypt: letsencrypt request www.eklausmeier.tk
Authorizing www.eklausmeier.tk.
 - Retrieving HTTP authentication challenge.
 - Retrieving authorization key.
Authorizing eklausmeier.tk.
 - Retrieving HTTP authentication challenge.
 - Retrieving authorization key.
Authorizing klm.no-ip.org.
 - Retrieving HTTP authentication challenge.
 - Retrieving authorization key.
Authorizing klm.ddns.net.
 - Retrieving HTTP authentication challenge.
 - Retrieving authorization key.
Authorizing edh.no-ip.org.
 - Retrieving HTTP authentication challenge.
 - Retrieving authorization key.
Authorizing edh.ddns.net.
 - Retrieving HTTP authentication challenge.
 - Retrieving authorization key.
Authorizing klmport.no-ip.org.
 - Retrieving HTTP authentication challenge.
 - Retrieving authorization key.
Authorizing borussia.no-ip.org.
 - Retrieving HTTP authentication challenge.
 - Retrieving authorization key.
Generating RSA key.
Generating CSR.
Retrieving certificate.
Using www.eklausmeier.tk.pem as output file.
Writing private key and certificate to file.
Retrieving CA certificate.
Writing CA certificate to file.

If you did not run above command as root: The generated certificate http://www.eklausmeier.tk.pem has then to be copied to /etc/hiawatha/tls, or to whatever location you have chosen above.

5. Renewing. Renewing is by either using cron or systemd timer, the latter being copied from ArchWiki. File /etc/systemd/system/letsencrypt-renew.service:

[Unit]
Description=Renew Let's Encrypt certificates
Wants=network-online.target
After=network-online.target

[Service]
Type=oneshot
ExecStart=/path/to/letsencrypt renew restart

and file /etc/systemd/system/letsencrypt-renew.timer:

[Unit]
Description=Daily renewal of Let's Encrypt's certificates

[Timer]
OnCalendar=*-*-* 04:00:00
# Be kind to the Let's Encrypt servers: add a random delay of 0–3600 seconds
RandomizedDelaySec=3600
Persistent=true

[Install]
WantedBy=timers.target

I think cron is much easier to use than fiddling with systemd timer and system daemon-reload using root user. Instead, here is the simple crontab entry:

[root@nuc ~]# crontab -l
#             field          allowed values
#             -----          --------------
#             minute         0-59
#             hour           0-23
#             day of month   1-31
#             month          1-12 (or names, see below)
#             day of week    0-7 (0 or 7 is Sunday, or use names)
#
05      04      *       *       *       pidof hiawatha && /root/letsencrypt/letsencrypt renew restart

Checking crontab with journalctl | grep letsencrypt shows something like this:

Feb 27 04:05:01 nuc CROND[18069]: (root) CMD (pidof hiawatha && /root/letsencrypt/letsencrypt renew restart)
Feb 28 04:05:01 nuc CROND[29689]: (root) CMD (pidof hiawatha && /root/letsencrypt/letsencrypt renew restart)
Mar 01 04:05:01 nuc CROND[10260]: (root) CMD (pidof hiawatha && /root/letsencrypt/letsencrypt renew restart)
Mar 02 04:05:01 nuc CROND[20212]: (root) CMD (pidof hiawatha && /root/letsencrypt/letsencrypt renew restart)
Mar 03 04:05:01 nuc CROND[28676]: (root) CMD (pidof hiawatha && /root/letsencrypt/letsencrypt renew restart)

5. Testing. Two simple possibilites to check your site:

  1. SSL Server Test
  2. Responsinator

Output from SSL-labs below:

You can also use acme.sh. The commands are

cd .acme.sh
acme.sh --issue -d www.eklausmeier.tk -w /srv/http
cd www.eklausmeier.tk
cat www.eklausmeier.tk.key www.eklausmeier.tk.cer > www.eklausmeier.tk.pem

if /srv/http is your web-root (document root).

acme.sh has more than 6 kLOC and almost 100 options, while Hugo Leisink‘s letsencrypt script is just 1.5 kLOC and has 5 options: register, request, expire, revoke.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.