05 May 2019

Getting Valid Certificates for Development Environment

Topics: Linux, Web Servers
Tags: certbot, certificates

As more services strive for greater security, setting up labs where you don’t care about the security (particularly certificate and ssl security), becomes more of a headache. Where once apon a time you had to figure out how to secure the thing, you have to work to turn off certificates or force trust of a self-signed certificate.

It becomes easier to just install a certificate, but certificates themselves take effort and usually cost money.

My solution is to use the free lets encrypt service and cheap domain names. Frequently alternative TLDs will run sales, so for example I just picked up brainbuz.xyz on sale for two years for $8US. Alternately if you don’t mind some extra typing a sub-domain of a domain you already own is free.

Since brainbuz.xyz is only for my lab environment I only configured it on my private bind server. And then I just used one of my hosting accounts for public DNS.

To use lets encrypt you normally configure a web-server. You can configure a publicly accessible webserver and wildcard both the site and all domain hosts. You should be fine installing the certbot package in any recent linux distribution. However, if you want to use a wildcard cert you’ll need to use dns validation for Lets Encrypt to issue you one.

# command to use webserver for validation

certbot certonly –webroot -w /var/www/html -d brainbuz.xyz -d someservice.brainbuz.xyz

If you choose a wildcard cert I also recommend using pip3 to install certbot instead of your package manager. This is because wildcard support is only about a year old (as of this writing), and not all plugins are packaged or recent enough.

I was able to use my api key and certbot’s appropriate dns plugin for my provider and issue the certificate.

I had to create an certbot.ini to hold the credential (chmod 600 recommended).

# certbot.ini

dns_digitalocean_token = ******replace with yours******

 

# command to get the cert for brainbuz.xyz:

certbot certonly –dns-digitalocean –dns-digitalocean-credentials ~/certbot.ini -d *.brainbuz.xyz

A certificate valid for 90 days was installed to  /etc/letsencrypt/live/brainbuz.xyz. Then I copied fullchain.pem and privkey.pem to the dev server and configured the service to use them. To renew the certificate just type certbot renew and copy the new certificate over again.

Topics

Audio and Video Configuration Management Database Debian and Ubuntu Home Improvement Linux Messaging Perl Security Version Control Web Development Web Servers Windows

Tags

acrobat active-directory aegis ansible apache backup bridgetown build from source catalyst certbot certificates cpanminus exchange expect fluentd form-diva git gnome gnome-network-manager grav iis jekyll keepalived keepass kvm landesk linux-mint load-balancers lumens mint mojo-template mojolicious msi openshot otp owasp payload perl-build perlbrew pi pulse-audio pulseaudio qemu sbc sinatra sms solr spice splunk ssh systemd telephone template-toolkit ubuntu voip votecount voting vrrp wmi