Getting a free SSL/TLS Certificate

The Need

The NewBlackBox server that monitors and controls a new alarm product I developed needs other people to access it. It has a self-signed SSL/TLS cert, and throws errors that scare me on an Android phone, and I know it is safe. Since I need other people to be able to use this and the errors cannot be made to be ignored easily (unlike on a computer), I need to get a new SSL/TLS cert.

I’ve battled with Let’s Encrypt certs before, but the default clients then required the use of port 443 for verification, which is not possible for this set-up.

So I’ve looked around and found ZeroSSL, which allows the use of DNS based verification with relative ease.

The Solution

_{Jan 2019 Edit: These steps work on Ubuntu server 18.04; A follow-up post shows the slight differences for (a very slim) Ubuntu appliance….}

First Steps: Install software

sudo apt-get install make gcc libssl-dev liblocal-lib-perl cpanminus

This was pretty straight forward. Then,

cpan -i Crypt::LE

Wah! Somebody must be running in verbose mode! Still, it did the trick: we now have access to “le.pl”.

Now we must create the certificate, and we want to do it using dns verification. First we should create the account and domain keys. But they should be put in a safe location, and readable only by the right people/services.

sudo su
cd /etc/ssl/private
openssl genrsa -out account.key 4096
openssl genrsa -out mydomain.key 2048
chown root:ssl-cert account.key mydomain.key
chmod 640 account.key mydomain.key

le.pl --key account.key --csr mydomain.csr --csr-key mydomain.key --crt mydomain.crt --domains "host.domain.com.au" --generate-missing --handle-as dns --live
chown root:ssl-cert mydomain.crt mydomain.csr
chmod 640 mydomain.crt mydomain.csr

Success!

Notes:

1. the file ownership and access permissions commands can be executed after le.pl is run, and shortened to:
   chown root:ssl-cert mydomain.* account.key
chmod 640 mydomain.* account.key
2. be sure to either have a short TTL, or run with --live first time, otherwise you may wait a while for the updated DNS propagation after your test run like I did. Luckily my TTL was only 900 seconds, and I was busy writing this blog post so I didn’t have to count the seconds…
3. The DNS TXT records modification is outside of the scope of this post, and depends on how your DNS is handled for your domain. For CPanel users, it can be found in the Advanced Zone Editor.
4. Your Apache configuration is also outside of the scope of this post, but if you have a working https site, it should be a trivial modification in /etc/apache2/sites-enabled/default-ssl.conf

Next Post:

Automatic Renewal. I have 60-90 days to figure it out :-).