I recently needed to create certificates for the webserver the data files behind cisco.github.io. I decided I should try Let's Encrypt. If you don't know about the service Let's Encrypt, keep reading!
As most people know, it generally costs some money to acquire TLS/SSL certificates for your application, web server, you name it. Well, the good people who thought up Let's Encrypt are making the certificate world free. (Cisco had a big hand in the design, funding and implementation of Let's Encrypt.) In addition to reducing the acquisition cost of certificates, Let's Encrypt certificate management (renewal) is automated.
Here's my scenario...
Our cisco.github.io site has a small backend that crawls what we deem as useful Cisco GitHub Organizations and Repos, and filters out the cruft, leaving the good stuff for you to browse. By good stuff, we mean that it has a description, license, and is recently active. The backend creates JSON files and then copies them to a well-known location on an nginx server.
Since the request is originating from an HTTPS connect and going cross-origin, the browser requires that the connection is secured via HTTPS. Which brings us to certificates.
At Cisco, we have a centralized way of getting certificates, but even we have to pay into the service at the BU level, and so I thought I'd try out Let's Encrypt.
After searching around for a magic bullet, an nginx Let's Encrpyt plugin, I realized that I really didn't need such a thing. After reading more about how the Let's Encrypt certbot worked, I recognized that it was pretty simple to implement. The basic pattern is for certbot to get you registered with the service, and then you configure your server to refresh the certificate. That latter part is necessary because Let's Encrypt certs are only valid for 90 days.
Indeed, I followed the instructions for Debian-based systems to get started.
In order to automate the refresh, I found this repo that implemented a certbot systemd service and timer:
Things didn't quite work at that point, so I did some more digging, and found a nice writeup from the DigitalOcean community that helped me with the nginx configuration.
As mentioned earlier, I used a systemd service as opposed to a cron job in the article.
Having struggled through certificate woes in the past, I was really happy and impressed with the Let's Encrypt service and certbot. The process was relatively painless. I recommend you give it a try!
P.S. If you're someone who enjoys learning more about developer tools and trying to be more productive, you should check out my podcast -- the Cisco DevNet DevTools Podcast!