· devops automation letsencrypt ssl/tls rackspace cloudflare

Automate SSL renewals with Lets Encrypt using Rackspace or Cloudflare DNS

Installing packages and cloning repos!

I have a pretty basic install of CentOS 7, I needed to install the below packages. You many find these are already installed on your system.

yum install python-devel python-pip libffi-devel git gcc openssl-devel

If you are running Ubuntu, or Debian, then the below is for you, as some packages have different names.

apt-get install libffi-dev libssl-dev python-dev python-pip git gcc

Now clone the repo with the Lets’ Encrypt client written in BASH, called dehydrated.

git clone https://github.com/lukas2511/dehydrated /etc/dehydrated

Rackspace DNS

Now we need the hook to use the API and Rackspace DNS servers. The below will clone the code of that hook into its’ own directory in the dehydrated directory.

git clone https://github.com/major/letsencrypt-rackspace-hook.git /etc/dehydrated/hooks/rackspace

This hook uses python, and needs some packages to work, the below command will install those requirements.

pip install -r /etc/dehydrated/hooks/rackspace/requirements.txt

Now we need to create a credential file so the hook can authenticate and communicate with the Rackspace API. Add your Cloud username and API key to ~/.pyrax

vim ~/.pyrax
[rackspace_cloud]
username = my_username
api_key = 01234567890abcdef

Now skip the Cloudflare section, and go to the cronjob section.

Cloudflare DNS

If you are using CloudFlare, they’ll have control of your DNS, so clone the below to use the CloudFlare hook.

git clone https://github.com/kappataumu/letsencrypt-cloudflare-hook.git /etc/dehydrated/hooks/cloudflare

Now install the requirements this hook needs

pip install -r hooks/cloudflare/requirements-python-2.txt

and just like the Rackspace one, this hook needs your Cloudflare API credentials.

vim /etc/dehydrated/config
export [email protected]
export CF_KEY=K9uX2HyUjeWg5AhAb

Domains to get and renew

Now you have both the client, and one of the hooks, you need to determine what domains to cover. This is done by the domains.txt file/

Each line corresponds to one certificate, so you can one certificate with multiple domains. For example;

# Single domain
echo "example.com" > /etc/dehydrated/domains.txt

# Separate multiple domains with spaces
echo "example.com store.example.com backend.example.com" > /etc/dehydrated/domains.txt

The magic of Cron

Now that is all setup, let’s create a cron job to run monthly. Let’s Encrypt will renew a certificate that has less than 30 days left, so once a month should be fine. Visit Cron Generator and pick a random minute, hour and day, for every month, and weekday. Then run the below command and add the first part generated from the site.

54 4 * * 3 /etc/dehydrated/dehydrated -c -t dns-01 -k '/etc/dehydrated/hooks/cloudflare/hook.py' 2>&1 >> /var/log/sslrenewal

In my example, this is run at 4:54AM (server time) on every Wednesdays, every month. -c enables cron mode, -t sets DNS challenge instead of the default HTTP, and -k sets the hook we want to use, 2>&1 redirect all errors to stdout, and redirects all messages to ‘/var/log/sslrenewal’ to should something go wrong the errors are saved.

Get that certificate

To get your initial certificate, manually run the command from the cronjob.

/etc/dehydrated/dehydrated -c -t dns-01 -k '/etc/dehydrated/hooks/cloudflare/hook.py' 2>&1 | tee /var/log/sslrenewal

In the command I changed ‘>>’ to ‘| tee’ as this will send all to the log file but also to your console screen.

Conclusion

That is it, never worry about SSL expiration again. Of course you should occasionally take a look at the log to ensure it’s all working as expected.

  • LinkedIn
  • Tumblr
  • Reddit