lördag 5 december 2015

Using Lets Encrypt without root access

Lets encrypt issues TLS certificates for free and are recognized by almost every browser. Great!

Generation of the certificates however requires root access. I am not fond of running third party code as root, especially when it wants to touch configuration. Eventually, when the client is not beta anymore and ends up in mainstream Debian that will be another story. For now, this is how I managed to get certificates without executing the letsencrypt client with root priviliges on any of my trusted systems. I use a throwaway virtual machine instead, which executes the letsencrypt client during setup and then can be turned off.

My setup is as follows - I will call my domain www.example.com to make it easier to read. I have a pretty standard setup, with an internal web server answering requests, forwarded from my router. Connecting to external TCP port 443 ends up in an internal host on my network, running apache. Lets call that host webserver.local. I will also use another maching, workstation.local which is my normal desktop machine. It is not important where the machines are, as long as they can reach each other.

To shield myself, I use a virtual machine on my workstation, which will execute the letsencrypt client commands.

  1. disable anything listening to 443 on webserver.local temporarily. for me, service apache stop does the trick.
  2. forward port 443 to the virtual machine. On webserver.local, execute  socat TCP4-LISTEN:443,fork,reuseaddr TCP:workstation.local:4444
  3.  on workstation.local, forward port 4444 to the virtual machine port 443. I use virtualbox, which has a GUI under the network panel.
  4. inside the virtual machine, check out the letsencrypt client.
    you can do that as a normal user if you want.
  5. inside the virtual machine, execute the lets encrypt command as root:
    cd /path/to/letsencrypt/checkedout/repo
    ./letsencrypt-auto certonly --standalone --standalone-supported-challenges tls-sni-01 -d www.example.com -d alternatename.example.com
  6. if that went well, you get a congratulation message from the letsencrypt tool. transfer the /etc/letsencrypt directory, with rights preserved, to /etc/letsencrypt on webserver.local. I used tar, which preserves the file privileges which is important for local security.
  7. on webserver.local, configure the server to use the certs in /etc/letsencrypt/
    I use apache, here is an example configuration if you want to see the local paths to use for letsencrypt.
  8. disable the temporary port forward by socat
  9. enable the web server on webserver.local again, for me using apache that is service apache start
  10. verify that it works by opening www.example.com in your browser and checking the certificate information.