20.60. kb-00059: Use Let’s Encrypt Certificates with DRP

20.60.1. Knowledge Base Article: kb-00059

20.60.2. Description

This knowledge base describes one example of using Let’s Encrypt TLS Certificates for the dr-provision service (DRP Endpoint). This is only one example of how you might use Let’S Encrypt.

20.60.3. Solution

This solution uses the certbot tool to interact with the Let’s Encrypt APIs to authenticate and get a TLS Certificate. Other tools exist that will handle this capability for you.

This solution assumes you are running the commands at the Shell of the DRP Endpoint.

All Let’s Encrypt prerequisites/requirements must be in place prior to running this process. For example, valid DNS records MUST be setup in advance, for the Fully Qualified Domain Name (FQDN) of the DRP Endpoint server.

  1. Install Certbot
  2. Run certbot in standalone mode
certbot certonly --standalone
  1. Follow the prompts from the CLI tool. This generates certificates in:
    • /etc/letsencrypt/live/[drp fqdn]/ - replace “[drp fqdn]” with your FQDN (e.g. drp.example.com)
  2. Configure SystemD to now use the new certificate and private key:
DRP_ENDPOINT="drp.example.com"  # SET THIS APPROPRIATELY !!

cat <<EOF > /etc/systemd/system/dr-provision.service.d/certificate.conf
[Service]
Environment=RS_TLS_KEY_FILE=/etc/letsencrypt/live/$DRP_ENDPOINT/privkey.pem
Environment=RS_TLS_CERT_FILE=/etc/letsencrypt/live/$DRP_ENDPOINT/fullchain.pem
EOF
  1. Notify SystemD of updated config files, and restart DRP Endpoint
systemctl daemon-reload
systemclt restart dr-provision
  1. Verify/test the TLS certificate is as expected (using openssl)
DRP_ENDPOINT="drp.example.com"  # SET THIS APPROPRIATELY !!

openssl s_client -showcerts -connect $DRP_ENDPOINT:8092

In the final verification step, it should be clearly identified that the TLS Certificate is issued by Let’s Encrypt.

20.60.4. Automatic Certificate Renewals

To automatically renew certificates, create a monthly cron job, which runs the Certbot renewal process. Then via the use of the post hooks after renewal, trigger an import of the newly generated certificate and key.

To create the crontab entry, as root, perform:

cat << EOF > /etc/cron.monthly/dr-provision-letsencrypt-renewal.sh
#!/bin/sh

certbot renew
exit 0
EOF

chmod 700 /etc/cron.monthly/dr-provision-letsencrypt-renewal.sh

Now create the Certbot post hook so that when a renewal certificate is created, DRP updates the Certificate it’s using.

This script assumes that you have a $HOME/.drpclirc with appropriate credentails for user, password, and endpoint. If not, adjust the post-hook script to include the appropriate command line argument flags to the drpcli call. See kb-00010: Using the .drpclirc File for more details.

This will create the post hook:

cat << EOF /etc/letsencrypt/renewal-hooks/post/dr-provision.sh
#!/usr/bin/env bash

# reload the TLS certs in dr-provision, gets cert/key files from the
# environment - which assumes injected via systemd

function xiterr() { [[ $1 =~ ^[0-9]+$ ]] && { XIT=$1; shift; } || XIT=1; printf "FATAL: $*\n"; exit $XIT; }

PATH=$PATH:/usr/local/bin

T=$(mktemp /tmp/drp-tls.XXXXXXX)
strings /proc/$(pidof dr-provision)/environ | grep RS_TLS > $T
source $T

[[ -n "$RS_TLS_CERT_FILE" ]] \
  && drpcli system certs set "$RS_TLS_CERT_FILE" "$RS_TLS_KEY_FILE" \
  || xiterr 1 "Cert/key file variables not defined"

echo ""
echo "- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -"
echo ">>> Reloading 'dr-provision' certs from files"
drpcli system certs set "$RS_TLS_CERT_FILE" "$RS_TLS_KEY_FILE"
if (( $? ))
then
  echo "FATAL:  Failed to load certificate files."
  exit 1
else
  echo "Certificates successfully reloaded."
  echo "  cert:  $RS_TLS_CERT_FILE"
  echo "   key:  $RS_TLS_KEY_FILE"
fi
echo "- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -"
echo ""

rm -f $T
EOF

chmod 700 /etc/letsencrypt/renewal-hooks/post/dr-provision.sh

This process will search for the Envrionment variables that are usually set in the SystemD unit start files for the Certificate locations, then reload the newly generated cert and keyfile in to DRP.

In DRP v4.6.0 and newer, the certificate set process will automatically enable the DRP Endpoint HTTPS process to serve the new cert/key. In previous versions, you will have to restart DRP (eg systemctl restart dr-provision).

20.60.5. Additional Information

This document only focuses on initial setup of getting a Let’s Encrypt certificate. It does not discuss ongoing certificate renewal and management issues.

The example used in this document shows how to configure SystemD to utilize the certificate. The generated certificates can be used in other modes of operation. See the dr-provision binary help (eg dr-provision --help) for more details on the options around certificates and keys.

20.60.5.2. Versions

DRP Endpoints Version v4.x

20.60.5.3. Keywords

ssl, tls, certificate, letsencrypt, systemd, https, Let’s Encrypt, certbot, openssl, Lets Encrypt

20.60.5.4. Revision Information

KB Article     :  kb-00059
initial release:  Fri Feb 26 10:13:47 PST 2021
updated release:  Fri Aug 26 17:14:00 PST 2021