Automate SSL renewals with Lets Encrypt using Rackspace or Cloudflare DNS
Installing packages and cloning repos!
I have a pretty basic install of CentOS 7, I needed to install the below packages. You many find these are already installed on your system.
yum install python-devel python-pip libffi-devel git gcc openssl-devel
If you are running Ubuntu, or Debian, then the below is for you, as some packages have different names.
apt-get install libffi-dev libssl-dev python-dev python-pip git gcc
Now clone the repo with the Lets’ Encrypt client written in BASH, called dehydrated.
git clone https://github.com/lukas2511/dehydrated /etc/dehydrated
Now we need the hook to use the API and Rackspace DNS servers. The below will clone the code of that hook into its’ own directory in the dehydrated directory.
git clone https://github.com/major/letsencrypt-rackspace-hook.git /etc/dehydrated/hooks/rackspace
This hook uses python, and needs some packages to work, the below command will install those requirements.
pip install -r /etc/dehydrated/hooks/rackspace/requirements.txt
Now we need to create a credential file so the hook can authenticate and communicate with the Rackspace API. Add your Cloud username and API key to
vim ~/.pyrax [rackspace_cloud] username = my_username api_key = 01234567890abcdef
Now skip the Cloudflare section, and go to the cronjob section.
If you are using CloudFlare, they’ll have control of your DNS, so clone the below to use the CloudFlare hook.
git clone https://github.com/kappataumu/letsencrypt-cloudflare-hook.git /etc/dehydrated/hooks/cloudflare
Now install the requirements this hook needs
pip install -r hooks/cloudflare/requirements-python-2.txt
and just like the Rackspace one, this hook needs your Cloudflare API credentials.
vim /etc/dehydrated/config export [email protected] export CF_KEY=K9uX2HyUjeWg5AhAb
Domains to get and renew
Now you have both the client, and one of the hooks, you need to determine what domains to cover. This is done by the domains.txt file/
Each line corresponds to one certificate, so you can one certificate with multiple domains. For example;
# Single domain echo "example.com" > /etc/dehydrated/domains.txt # Separate multiple domains with spaces echo "example.com store.example.com backend.example.com" > /etc/dehydrated/domains.txt
The magic of Cron
Now that is all setup, let’s create a cron job to run monthly. Let’s Encrypt will renew a certificate that has less than 30 days left, so once a month should be fine. Visit Cron Generator and pick a random minute, hour and day, for every month, and weekday. Then run the below command and add the first part generated from the site.
54 4 * * 3 /etc/dehydrated/dehydrated -c -t dns-01 -k '/etc/dehydrated/hooks/cloudflare/hook.py' 2>&1 >> /var/log/sslrenewal
In my example, this is run at 4:54AM (server time) on every Wednesdays, every month. -c enables cron mode, -t sets DNS challenge instead of the default HTTP, and -k sets the hook we want to use, 2>&1 redirect all errors to stdout, and redirects all messages to ‘/var/log/sslrenewal’ to should something go wrong the errors are saved.
Get that certificate
To get your initial certificate, manually run the command from the cronjob.
/etc/dehydrated/dehydrated -c -t dns-01 -k '/etc/dehydrated/hooks/cloudflare/hook.py' 2>&1 | tee /var/log/sslrenewal
In the command I changed ‘>>’ to ‘| tee’ as this will send all to the log file but also to your console screen.
That is it, never worry about SSL expiration again. Of course you should occasionally take a look at the log to ensure it’s all working as expected.