Help

Configuring letsencrypt certificate

Introduction

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG). This tutorial provides you how to configure letsencrypt certificate to use in Telcobridges equipment's.

Prerequisites

Make sure HTTPS is enabled for the HTTP default service at port 12358.

Configuration Procedure

Note that the below procedure will survive a toolpack upgrade without breaking HTTPS.

1. Install certbot and python3

 # Install python3 with virtual environment.
sudo yum -y install python3
sudo python3 -m venv /opt/pycertbot/
sudo /opt/pycertbot/bin/pip install --upgrade pip

# Install required dependency
sudo /opt/pycertbot/bin/pip install pyOpenSSL==23.1.1

# Install certbot from pip
sudo /opt/pycertbot/bin/pip install certbot certbot
sudo ln -s /opt/pycertbot/bin/certbot /usr/bin/certbot

2. Create certificate

If unsure, you can temporarily generate a test certificate with --test-cert. Replace the two -d with proper FQDNs, then run:

sudo certbot certonly --standalone --agree-tos \
    -d CUSTOMER1.saas.prosbc.com \
    -d ec2-3-96-231-114.ca-central-1.prosbc.com \
    --deploy-hook "cat \${RENEWED_LINEAGE}/privkey.pem \${RENEWED_LINEAGE}/fullchain.pem > \${RENEWED_LINEAGE}/fullchain_with_privkey.pem && ln --force -s \${RENEWED_LINEAGE}/fullchain_with_privkey.pem /lib/tb/toolpack/pkg/ssl_certificate/toolpack_cert.pem && killall -INT lighttpd" \
    --email certificate_saas@telcobridges.com --no-eff-email

(the toolpack web server will automatically reload to use the new certificate, thanks to the --deploy-hook)

3. Validation

Validate that a symbolic link is present here:

ls -l /lib/tb/toolpack/pkg/ssl_certificate/toolpack_cert.pem

  • It should point at /etc/letsencrypt/live/FQDN/fullchain_with_privkey.pem

If successful, you can access in HTTPS without any warning from the browser!

4. Setup automatic renewal The certificate is valid for 90 days, so we have to enable automatic renewal.

Add the following lines in /etc/crontab:

# Run daily at 1 AM
0 1 * * * certbot renew --quiet --agree-tos

After a few days, validate there are log files created at 1 AM every day:

  • sudo ls -lrt /var/log/letsencrypt/
PreviousConfigure HTTPS certificatesNextConfiguring the ICMP

Last updated

Was this helpful?