Let's Encrypt certificate for your Cozy

Green_Padlock

Days of self-signed certificates pain (and security alerts) are over. With the new Let’s Encrypt initiative, you can now get a free certificate for your HTTPS connection that will be recognized as valid by all modern browsers.

Untrusted_Connection

Let’s Encrypt is a free, open-source certification authority that opened its public Beta on 3rd December 2015, and now everyone can test it and get some certificates.

Let’s see how you can get such a certificate for your self-hosted Cozy instance!

Requirements:

  • your own domain
  • a self hosted Cozy
  • an email address (not mandatory, but highly recommended : Let’s encrypt will use it to to send you security advisories and a reminder few day before your certificate expires)

Setting up Let’s Encrypt

All following commands must be executed as root user. Prefix it with sudo or get a shell with sufficient rights :

sudo su

Be sure that git and ca-certificates packets are installed :

apt-get install git ca-certificates

Setup Let’s Encrypt from github repository :

git clone https://github.com/certbot/certbot /root/letsencrypt

NB : The old repository https://github.com/letsencrypt/letsencrypt is not use anymore

Configuring Let’s Encrypt and generating your first certificate

In this example, we will use the myaddress@example.com mail address to get a certificate for a Cozy running on the https://mycozy.domain.com domain.

First, you need to accept Let’s Encrypt’s Terms of subscription.

In order to check that you are the actual owner of the domain, Let’s Encrypt server needs to communicate with your web server. You can use your own web server, by using some file delivered by Let’s Encrypt on a specific URL. You can also stop your own server and use a built-in Let’s Encrypt web server to validate your domain. We’ll choose this second solution.

First, stop your nginx server, making your Cozy unavailable for few minutes :

/etc/init.d/nginx stop

Then backup your old certificate and his key :

mv /etc/cozy/server.key /etc/cozy/server.key.backup
mv /etc/cozy/server.crt /etc/cozy/server.crt.backup

Now let’s use the following command to create an account on Let’s Encrypt servers and generate your first certificate. Make sure to replace myaddress@example.com with your own email address and mycozy.domain.com with the actual domain of your Cozy :

/root/letsencrypt/letsencrypt-auto certonly \
   --standalone --agree-tos \
   --email myaddress@example.com -d mycozy.domain.com \
   --standalone-supported-challenges tls-sni-01

Install your new certificate generated in /etc/letsencrypt/live/mycozy.domain.com/ (make sure to update the path with your actual domain)

ln -s /etc/letsencrypt/live/mycozy.domain.com/privkey.pem /etc/cozy/server.key
ln -s /etc/letsencrypt/live/mycozy.domain.com/fullchain.pem /etc/cozy/server.crt

Now restart your Nginx :

/etc/init.d/nginx start

You can now test your new certificate and click on the padlock at the left of the URL and check that the communication is secure by the new certificate.

Get a monthly auto renew

Let’s Encrypt certificate are valid for 90 days and therefore need to be renewed regularly. We’re going to do this every first day of the month.

Create a file /root/renew_cert.sh with the following script (replace domain with your) :

#!/bin/sh
/etc/init.d/nginx stop
/root/letsencrypt/letsencrypt-auto certonly --standalone -d mycozy.domain.com --standalone-supported-challenges tls-sni-01 --renew-by-default
/etc/init.d/nginx start

Get the script executable :

chmod u+x /root/renew_cert.sh

You can now test manually the script (beware, some limits are set, you can only generate 5 certificates per week for a specific domain)

We need to launch this script automatically with Cron each month.

Open your crontab :

crontab -e

Add this line at the end of file and save it :

0 3 1 * * /root/renew_cert.sh

With this, your certificate will be renewed every first of the month at 3AM.

More info

To find more details on Let’s Encrypt, you can see their website and their forum.

To find more information on their official client, see the documentation and check their source code on github.

Having trouble using Let’s Encrypt with your self-hosted Cozy instance? Head over to our forum.

Everything running OK? Then enjoy connecting securely to your Cozy instance without the annoying security alert!

Photo by Nicki Mannix used under CC-BY 2.0