This tutorial will guide you in how to get fully functional certificates from Let’s Encrypt for use with ThinLinc’s Web Access and Web Administration. Our goal is to avoid things looking like this for users:
We are using Red Hat Enterprise Linux 7 in this example, but most steps will be the same or similar for other distributions.
1. The first step is installing the tool certbot, which is the most common tool used to fetch certificates from Let’s Encrypt. For Red Hat Enterprise Linux 7 we can get this tool from the EPEL community repository, so the first step is enabling that:
$ sudo rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
After that it is possible to install certbot using yum:
$ sudo yum install certbot
If your distribution doesn’t have certbot packaged then you can download it directly from https://certbot.eff.org/.
2. Next we will do the initial certificate request from Let’s Encrypt. First you need to make sure that the HTTP and HTTPS ports are available for certbot. That means you cannot have any other web server running when using the method described here. You also need to check that the firewall doesn’t block these ports. For Red Hat this is controlled using the “Firewall Configuration” tool:
At this point we are ready to let certbot do its thing:
$ sudo /usr/bin/certbot certonly --standalone Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): hostmaster@thinlinc.com Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: a ------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o: n Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): certdemo.thinlinc.com Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge for certdemo.thinlinc.com Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/certdemo.thinlinc.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/certdemo.thinlinc.com/privkey.pem Your cert will expire on 2018-02-18. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
3. We now have fully functional certificates! So let’s make sure ThinLinc starts using them:
$ sudo /opt/thinlinc/bin/tl-config /webaccess/cert=/etc/letsencrypt/live/certdemo.thinlinc.com/fullchain.pem $ sudo /opt/thinlinc/bin/tl-config /webaccess/certkey=/etc/letsencrypt/live/certdemo.thinlinc.com/privkey.pem $ sudo /usr/bin/systemctl restart tlwebaccess.service $ sudo /opt/thinlinc/bin/tl-config /tlwebadm/certkey=/etc/letsencrypt/live/certdemo.thinlinc.com/privkey.pem $ sudo /opt/thinlinc/bin/tl-config /tlwebadm/cert=/etc/letsencrypt/live/certdemo.thinlinc.com/fullchain.pem $ sudo /usr/bin/systemctl restart tlwebadm.service
This is also a good time to make sure that /vsmagent/agent_hostname is properly configured:
$ sudo /opt/thinlinc/bin/tl-config /vsmagent/agent_hostname=certdemo.thinlinc.com $ sudo /usr/bin/systemctl restart vsmagent.service
Unfortunately there is currently a bug in ThinLinc that prevents it from reading the private key generated by certbot. To fix this we have to set more restrictive rights on the key:
$ sudo /usr/bin/chmod go-r /etc/letsencrypt/live/certdemo.thinlinc.com/privkey.pem
At this point you should be able to access ThinLinc Web Access and Web Administration with a fully approved certificate:
Automatic certificate renewal
Although we now have a proper certificate for our server, it will not stay that way by itself. The certificate will at some point expire and be refused by the browsers. In the case of Let’s Encrypt that time is also very short, so we must set up a mechanism that automatically renews the certificate when needed.
Fortunately certbot has exactly such features built in! Unfortunately the packaging is a bit different depending on the distributions, so we will go through how to do it on Red Hat, followed by how to do it in a more general way.
Using Red Hat specific scripts
The Red Hat certbot package includes a systemd timer that will renew certificates when needed. So all we need to do is enable that timer:
$ sudo /usr/bin/systemctl enable certbot-renew.timer $ sudo /usr/bin/systemctl status certbot-renew.timer
Unfortunately the ThinLinc bug mentioned earlier will cause problems here as well. So we need to add a helper script to certbot. Create the file /usr/sbin/deployhook with the following contents:
#!/bin/bash /usr/bin/chmod go-r $RENEWED_LINEAGE/privkey.pem
Make sure this file is executable:
$ sudo /usr/bin/chmod a+x /usr/sbin/deployhook
This scriptwill perform the necessary permission changes every time a certificate is renewed. So what’s remaining is to make sure certbot calls this script. Do this by editing the file /etc/sysconfig/certbot:
... # # An example to run a script to alert each cert would be: # RENEW_HOOK="--renew-hook /usr/local/bin/cert-notifier.sh" RENEW_HOOK="--deploy-hook /usr/sbin/deployhook" # Any other misc arguments for the renewal # See certbot -h renew for full list ...
General method
In short, we just need to make sure the command certbot renew is run once a day. The most fool proof way of doing this is using the classic cron service. Create the file /etc/cron.d/certbot:
12 2 * * * /usr/bin/certbot renew --quiet
Remember to tell crond to reload the configuration:
$ sudo /usr/bin/systemctl reload crond.service
However, like for the Red Hat method we need to provide a workaround for the ThinLinc bug. So create the same /usr/sbin/deployhook as in the previous section and modify /etc/cron.d/certbot:
12 2 * * * /usr/bin/certbot renew --quiet --deploy-hook /usr/sbin/deployhook