Days of self-signed certificates pain (and security alerts) are over. With the new Let’s Encrypt initiative, you can now get a free certificate for your HTTPS connection that will be recognized as valid by all modern browsers.
Let’s Encrypt is a free, open-source certification authority that opened its public Beta on 3rd December 2015, and now everyone can test it and get some certificates.
Let’s see how you can get such a certificate for your self-hosted Cozy instance!
- your own domain
- a self hosted Cozy
- an email address (not mandatory, but highly recommended : Let’s encrypt will use it to to send you security advisories and a reminder few day before your certificate expires)
Setting up Let’s Encrypt
All following commands must be executed as root user.
Prefix it with
sudo or get a shell with sufficient rights :
Be sure that
ca-certificates packets are installed :
apt-get install git ca-certificates
Setup Let’s Encrypt from github repository :
git clone https://github.com/certbot/certbot /root/letsencrypt
NB : The old repository https://github.com/letsencrypt/letsencrypt is not use anymore
Configuring Let’s Encrypt and generating your first certificate
In this example, we will use the email@example.com mail address to get a certificate for a Cozy running on the https://mycozy.domain.com domain.
First, you need to accept Let’s Encrypt’s Terms of subscription.
In order to check that you are the actual owner of the domain, Let’s Encrypt server needs to communicate with your web server. You can use your own web server, by using some file delivered by Let’s Encrypt on a specific URL. You can also stop your own server and use a built-in Let’s Encrypt web server to validate your domain. We’ll choose this second solution.
First, stop your nginx server, making your Cozy unavailable for few minutes :
Then backup your old certificate and his key :
mv /etc/cozy/server.key /etc/cozy/server.key.backup mv /etc/cozy/server.crt /etc/cozy/server.crt.backup
Now let’s use the following command to create an account on Let’s Encrypt servers and generate your first certificate. Make sure to replace firstname.lastname@example.org with your own email address and mycozy.domain.com with the actual domain of your Cozy :
/root/letsencrypt/letsencrypt-auto certonly \ --standalone --agree-tos \ --email email@example.com -d mycozy.domain.com \ --standalone-supported-challenges tls-sni-01
Install your new certificate generated in
/etc/letsencrypt/live/mycozy.domain.com/ (make sure to update the path with your actual domain)
ln -s /etc/letsencrypt/live/mycozy.domain.com/privkey.pem /etc/cozy/server.key ln -s /etc/letsencrypt/live/mycozy.domain.com/fullchain.pem /etc/cozy/server.crt
Now restart your Nginx :
You can now test your new certificate and click on the padlock at the left of the URL and check that the communication is secure by the new certificate.
Get a monthly auto renew
Let’s Encrypt certificate are valid for 90 days and therefore need to be renewed regularly. We’re going to do this every first day of the month.
Create a file
/root/renew_cert.sh with the following script (replace domain with your) :
#!/bin/sh /etc/init.d/nginx stop /root/letsencrypt/letsencrypt-auto certonly --standalone -d mycozy.domain.com --standalone-supported-challenges tls-sni-01 --renew-by-default /etc/init.d/nginx start
Get the script executable :
chmod u+x /root/renew_cert.sh
You can now test manually the script (beware, some limits are set, you can only generate 5 certificates per week for a specific domain)
We need to launch this script automatically with Cron each month.
Open your crontab :
Add this line at the end of file and save it :
0 3 1 * * /root/renew_cert.sh
With this, your certificate will be renewed every first of the month at 3AM.
Having trouble using Let’s Encrypt with your self-hosted Cozy instance? Head over to our forum.
Everything running OK? Then enjoy connecting securely to your Cozy instance without the annoying security alert!