How to update certbot to work with Apache webroot authentication

//How to update certbot to work with Apache webroot authentication

How to update certbot to work with Apache webroot authentication

Many of the startups I work with use free SSL certificates issued by LetsEncrypt. A recent security issue has changed the way these certificates need to be set up. Here’s a quick guide on how to configure LetsEncrypt’s certbot tool with the webroot authentication method with Apache. My team and I have just been through all this on a bunch of servers and hopefully the information will save you some time.

Background

As a security precaution LetsEncrypt decided to discontinue the standard authentication method for issuing and renewing SSL certificates. This method was called TLS-SNI and caused problems on some shared servers. Instead of receiving a LetsEncrypt certificate, users were greeted with the following error message:

“Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA”

Initially it looked like LetsEncrypt would release a fix. They have now decided to permanently disable this method for all new certificates. Renewals will still work for the time being, however this may also change in future and you’re best off changing your underlying configuration. I’ll go into detail below how to set things up.

To find out more you can read the original announcement and follow this discussion on the certbot github page that looks at alternatives.

Overview

To make LetsEncrypt’s certbot fully functional again you need to switch from the TLS-SNI authentication method to another form of authentication. We recommend using ‘webroot’ authentication instead, as it’s fairly straightforward to set up and doesn’t require a server restart when renewing certificates.

This guide assumes you’re using a linux distribution and running Apache 2.

Configuring your server to use webroot authentication

Upgrade certbot to v0.20.0

You need to start off by upgrading certbot to version 0.20.0 (or higher). This version was released on 17th January 2018. Depending on when you’re reading this, your operating system might not have upgraded to the most recent version.

Check first:

sudo apt-get update
sudo apt-get install python-certbot-apache

If version 0.20.x is not yet available, it may be best to wait a couple of weeks until it is. Renewals should still work for existing certificates. If waiting isn’t an option for you, then you can use certbot-auto instead to install the newest version for your OS:

wget https://dl.eff.org/certbot-auto
sudo chmod u+x certbot-auto
sudo mv certbot-auto /opt

There is no need to uninstall the existing certbot, certbot-auto will run happily alongside it. I would recommend though to remove the certbot auto-renew cron job:

sudo rm /etc/cron.d/certbot

For more details, look for certbot-auto in the certbot user guide.

Note that certbot-auto is a wrapper for certbot. The first time you run it it will download and install the most recent certbot package.

I will use ‘certbot-auto’ in the guide below – just replace this with ‘certbot’ once the 0.20.x version becomes available.

Allow Apache to server the webroot challenge file

Certbot’s webroot authentication mechanism creates a temporary file in a special folder in the web root of your domain. If your website is served from the folder /var/www/domain.com/, the temporary file will be place in

/var/www/domain.com/.well-known/

This file needs to be accessible via standard HTTP on port 80 for the authentication challenge to work.

Many SSL configurations will re-direct all HTTP traffic to HTTPS. Such a setup will not allow webroot authentication to take place. The way we have resolved this is to allow Apache to specifically serve contents in the well-known folder via HTTP, while redirecting all other traffic.

Here is a sample Apache vhost configuration file. This configuration builds on the standard LetsEncrypt redirect setup. A single RewriteRule allows Apache to serve the authentication challenge file via HTTP.

<VirtualHost *:80>
  ServerName domain.com
  DocumentRoot /var/www/domain.com
  CustomLog ${APACHE_LOG_DIR}/access.log common
  ErrorLog ${APACHE_LOG_DIR}/error.log
  RewriteEngine on
  RewriteRule ^/.well-known/ - [L]
  RewriteCond %{SERVER_NAME} =domain.com
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Create new LetsEncrypt certificates using certbot’s webroot authentication

To create a new certificate for a new domain, run the certbot command as follows.

sudo /opt/certbot-auto --webroot --installer apache -w /var/www/domain.com -d domain.com

Replace the web root and the domain name with the appropriate values for your website.

Certbot will remember that you used the webroot authentication method and will use the same method when renewing the certificate.

Force renew existing LetsEncrypt certificates using certbot’s webroot authentication

To change the setup for existing certificates, run certbot with the –force-renew flag. This will reissue a certificate for the domain whether or not it is near expiration. Certbot will remember that you used the webroot authentication method and will use the same method when renewing the certificate.

sudo /opt/certbot-auto --force-renew --webroot --installer apache -w /var/www/domain.com -d domain.com

Auto renew LetsEncrypt certificates using certbot’s webroot authentication

Provided that you were able to upgrade your existing certbot install to version 0.20.x you don’t need to make any changes to your auto renewal setup. Certbot will remember that you used the webroot authentication method and will use it next time as well.

With certbot-auto you will need to set up a new cron job. Here is an example:

0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && /opt/certbot-auto renew --quiet  2>&1 >> /var/log/certbot.log

This cron job will run certbot-auto twice a day, at random intervals around noon and midnight. Again, certbot will re-use the webroot authentication method.

Install this cronjob for the root user using sudo crontab -e


Hopefully this article has been of use to you. Please do share your questions and other technology tips with us!

 
By | 2018-01-25T21:45:55+00:00 January 25th, 2018|Tech Hugs|0 Comments

Leave A Comment