1 00:00:06,040 --> 00:00:11,930 In this supplementary Listen we'll take a look at getting started with letting crept on in Genex. 2 00:00:11,940 --> 00:00:19,050 So first of all what is little encrypt the let's encrypt service is a relatively new provider of free 3 00:00:19,140 --> 00:00:24,530 automated SSL certificates something virtually unheard of only a couple of years ago. 4 00:00:24,900 --> 00:00:29,930 The service itself then aims to encourage the use of SSL over HTP. 5 00:00:30,060 --> 00:00:39,140 So hgt s as this has become the new standard and plain insecure htb is just no longer acceptable. 6 00:00:39,210 --> 00:00:45,270 Now having the let's encrypt service is one thing but in order to generate certificates and automate 7 00:00:45,270 --> 00:00:52,620 their renewal we'll use a tool called CERT bot which will form the basis of this lesson to demonstrate 8 00:00:52,680 --> 00:00:55,810 I've again created a server on digital ocean. 9 00:00:55,940 --> 00:00:59,280 This being a bold of a boon to 16 zeal. 10 00:00:59,490 --> 00:01:03,410 But the lesson will apply to whichever operating system you decide to use. 11 00:01:03,450 --> 00:01:08,430 The main factor being the use of Search bot and Litz encrypt with in generics. 12 00:01:08,430 --> 00:01:12,320 Important to note I also have a domain configured for the server. 13 00:01:12,510 --> 00:01:15,970 Let's encrypt dot steck academy dot TV. 14 00:01:16,080 --> 00:01:22,650 This being as let's encrypt won't issue certificates for IP addresses so a valid reachable domain is 15 00:01:22,650 --> 00:01:29,190 required of course at the moment if I try and access this domain it's unreachable as there's no web 16 00:01:29,190 --> 00:01:30,480 server running. 17 00:01:30,480 --> 00:01:38,730 So let's begin by installing engine X over my terminal SS H to the server with SSA charge a or Wooding 18 00:01:38,730 --> 00:01:39,130 my. 19 00:01:39,150 --> 00:01:42,020 Is this a key root act. 20 00:01:42,120 --> 00:01:45,570 Let's encrypt the steck Academy TV. 21 00:01:47,390 --> 00:01:48,480 And I'm connected. 22 00:01:49,320 --> 00:01:57,000 Update at get just good practice to make sure we have all the latest versions of the package repo's 23 00:01:57,780 --> 00:02:04,710 clear this install engine X worth about yet install engine X.. 24 00:02:05,250 --> 00:02:06,340 Confirm. 25 00:02:08,050 --> 00:02:12,610 And once that's done we can check if engine Xist already running worth process. 26 00:02:12,690 --> 00:02:17,120 A You X checking for engine X with grep. 27 00:02:17,290 --> 00:02:21,900 There we have it the master process and a single worker process. 28 00:02:22,060 --> 00:02:30,450 We can test this by performing a request to the server Col hgt let's encrypt adot steck academy not 29 00:02:30,590 --> 00:02:31,400 TV. 30 00:02:32,660 --> 00:02:39,080 And sure enough we get the HD Mel from the engine X holding page meaning engine X is up and listening 31 00:02:39,080 --> 00:02:43,490 on the server which looks like this in the browser in my editor. 32 00:02:43,490 --> 00:02:49,580 Then I'll open the engine configuration file from that server's new engine exe install this being the 33 00:02:49,580 --> 00:02:54,470 file at each c slash engine X slash engine X dot conf. 34 00:02:55,130 --> 00:03:01,910 Remove the bulk of this as we're only looking to test SSL certificate Sonia leave the event block as 35 00:03:01,910 --> 00:03:03,290 that's required. 36 00:03:04,380 --> 00:03:06,240 Get rid of all this. 37 00:03:07,400 --> 00:03:17,210 Create a new server block inside the HTP context listening on port 80 for now so plain HTP with a router 38 00:03:17,210 --> 00:03:21,630 location block that simply returns a two hundred status. 39 00:03:21,800 --> 00:03:24,880 And hello from Engine x. 40 00:03:24,890 --> 00:03:31,590 Save that reload engine X engine X with it s flag reload. 41 00:03:32,490 --> 00:03:37,170 Form the same code command to the server and we get that new response. 42 00:03:37,260 --> 00:03:39,880 So everything working as expected. 43 00:03:39,880 --> 00:03:44,960 If however I changed this protocol to hgt P S we get an error. 44 00:03:45,120 --> 00:03:51,360 So let's generate some SSL certificates and get this working with the help of search bot and lit encrypt 45 00:03:52,170 --> 00:03:56,540 will install search bot first navigate to CERT bot. 46 00:03:56,580 --> 00:03:58,530 E F F dot org. 47 00:03:59,270 --> 00:04:05,880 Select the relevant server software in genetics and the corresponding server OS. 48 00:04:05,900 --> 00:04:12,860 In my case a boon to 16 zele which gives us this detailed set of instructions for installing cert bot 49 00:04:13,160 --> 00:04:19,400 and even automating the renewal of those certificates all of which will cover start with the search 50 00:04:19,400 --> 00:04:21,080 bot install commands. 51 00:04:21,080 --> 00:04:26,650 I've already run this app get updates prior to installing engine X so copy this. 52 00:04:27,850 --> 00:04:35,440 Installing the software propertys common package already installed for this version of a burn to add 53 00:04:35,530 --> 00:04:37,950 the cert bot back each repo. 54 00:04:44,520 --> 00:04:48,700 Run update again to pull the packages from that newly added rebo. 55 00:04:51,930 --> 00:04:59,310 And finally install the said Bob backage install by phon cert bot in Genex. 56 00:05:01,090 --> 00:05:02,140 Yes. 57 00:05:04,920 --> 00:05:05,790 All done. 58 00:05:05,790 --> 00:05:12,530 Meaning we should now have the word bot tools available all clear this run server bot help. 59 00:05:13,850 --> 00:05:14,980 And there we have it. 60 00:05:15,350 --> 00:05:17,700 OK now that we have the command line tools available. 61 00:05:17,720 --> 00:05:22,450 Let's go ahead and generate this acel Certificates via the lit and crypt service. 62 00:05:22,460 --> 00:05:28,190 First off though it's important to assess the specific needs of your web server before continuing with 63 00:05:28,190 --> 00:05:31,270 generating certificates as you can see said. 64 00:05:31,280 --> 00:05:38,600 Bot allows us to generate certificates with out installing them or by default installs them meaning 65 00:05:38,630 --> 00:05:44,140 your engine X configuration file will be edited with all the necessary directives to listen for hgt 66 00:05:44,250 --> 00:05:45,920 s connections. 67 00:05:46,010 --> 00:05:52,100 This is often very useful search bot will also configure the correct cipher shoot and a host of other 68 00:05:52,100 --> 00:05:59,970 SSL parameters but might not be ideal on an existing server configuration where edits could cause trouble. 69 00:05:59,990 --> 00:06:02,760 Just something to consider and decide on. 70 00:06:03,080 --> 00:06:09,410 For this demonstration however I'll have said bot install the certificates as well to generate and install 71 00:06:09,410 --> 00:06:15,610 certificates for our engine server then we can run cert bot with an engine X flag. 72 00:06:15,620 --> 00:06:21,710 If however you were to run this with the cert only command skipping the installation then you'd also 73 00:06:21,710 --> 00:06:26,830 have to provided deflate gate with the relevant domain name for this certificate. 74 00:06:26,930 --> 00:06:30,680 The reason we don't need to specify the domain when also installing the certificate is. 75 00:06:30,680 --> 00:06:37,730 That said bot will inspect the existing configuration forrard domain or server name and use that also 76 00:06:37,730 --> 00:06:41,370 allowing a to know where the SSL configuration needs to be at it. 77 00:06:41,480 --> 00:06:49,070 Right now we don't actually have a server name specified so I'll add that server name let's encrypt 78 00:06:49,210 --> 00:06:53,480 not steck academy Don TV save for that. 79 00:06:54,180 --> 00:06:55,860 Reload engine x. 80 00:06:57,800 --> 00:07:01,220 And run the default search by command for engine X.. 81 00:07:02,360 --> 00:07:04,820 We are prompted for an email address. 82 00:07:06,550 --> 00:07:09,130 Agree to the terms of use. 83 00:07:09,180 --> 00:07:11,450 You want to share your email address. 84 00:07:11,500 --> 00:07:13,830 I'll opt for no in this case. 85 00:07:14,020 --> 00:07:19,660 And then we're presented with a selection of domains found in the engine X configuration file to choose 86 00:07:19,660 --> 00:07:20,300 from. 87 00:07:20,530 --> 00:07:24,890 This being the reason added the server name directive to that configuration. 88 00:07:24,940 --> 00:07:32,890 I only have the one so enter one enter this certificate gets generated and the domain verified. 89 00:07:33,040 --> 00:07:39,220 And finally we can choose to add a redirect to our engine XT configuration in order to redirect all 90 00:07:39,220 --> 00:07:42,330 HDB traffic to HTP s. 91 00:07:42,400 --> 00:07:44,330 I'll just say no for now. 92 00:07:44,410 --> 00:07:48,430 Or option 1 enter and that's all done. 93 00:07:48,430 --> 00:07:50,830 Congratulations you have successfully enabled. 94 00:07:50,860 --> 00:07:52,320 H t d b s. 95 00:07:52,360 --> 00:07:59,560 Let's encrypt steck academy or TV with some notes and path's to the generated certificates listed here. 96 00:07:59,980 --> 00:08:07,390 We can check the contents of that directory t see slash letting crypt containing all of the list encrypt 97 00:08:07,390 --> 00:08:10,970 files certificates configurations etc.. 98 00:08:11,360 --> 00:08:20,220 Slash life slash my domain and there we see the generator to defecates said bot has also reloaded our 99 00:08:20,230 --> 00:08:23,080 engine configuration after adding the certificates. 100 00:08:23,260 --> 00:08:26,170 So test this over hgt s again. 101 00:08:26,560 --> 00:08:27,980 Hello from Engine x. 102 00:08:28,030 --> 00:08:29,290 So working this time. 103 00:08:29,320 --> 00:08:32,920 Easiest that I'll check this in the browser. 104 00:08:34,570 --> 00:08:36,030 H T T P S. 105 00:08:38,970 --> 00:08:45,500 And there we have it lock and all we can see what modifications said bot may to our engineers second 106 00:08:45,610 --> 00:08:46,850 file. 107 00:08:46,950 --> 00:08:54,690 It's added a listen director on port for 4 3 being the default h.t. to be export links to their newly 108 00:08:54,690 --> 00:09:01,540 generated certificates for this domain and an include called Options SSL engine ixtoc. 109 00:09:02,740 --> 00:09:04,360 I'll clean this up a bit. 110 00:09:07,640 --> 00:09:12,060 Copy that path to the configuration include so we can see what this contains. 111 00:09:15,730 --> 00:09:16,650 There. 112 00:09:16,810 --> 00:09:21,020 This is the convenience of having said bot install your certificates for you. 113 00:09:21,040 --> 00:09:28,150 We have this acel session configurations and a selection of preferred ciphers or added security so very 114 00:09:28,150 --> 00:09:29,530 convenient. 115 00:09:29,530 --> 00:09:32,490 The next point then is cert renewal. 116 00:09:32,830 --> 00:09:38,220 Unlike traditional SSL certificates that was valid for one or two years at a time. 117 00:09:38,320 --> 00:09:44,590 Let's encrypt certificates are valid for 90 days only now without getting into the nitty gritty details 118 00:09:44,590 --> 00:09:45,720 of why this is. 119 00:09:45,730 --> 00:09:51,040 It's a good thing I fling to some content in the list and resources should you want to read more about 120 00:09:51,040 --> 00:09:56,770 the reasons for the shorter difficult life renewing your certificates will have to happen fairly frequently 121 00:09:56,770 --> 00:10:01,670 then and as part of this renewal will also see how to automate this. 122 00:10:01,750 --> 00:10:07,900 Meaning you should never have to worry about certificate renewal again first then to renew certificates 123 00:10:07,900 --> 00:10:08,840 manually. 124 00:10:09,010 --> 00:10:14,200 We can run cert bot renew into giving us cert. 125 00:10:14,200 --> 00:10:17,080 Not yet you for renewal skipped. 126 00:10:17,080 --> 00:10:20,320 So no nasty errors just the silane skip. 127 00:10:20,320 --> 00:10:26,660 We can however force a test renewal to make sure this will work once the certificates become due. 128 00:10:26,680 --> 00:10:31,560 Same command again this time with a flag dry run. 129 00:10:34,480 --> 00:10:36,940 We get that verification again. 130 00:10:37,640 --> 00:10:41,850 And done on Graduation's all renewals succeeded. 131 00:10:41,930 --> 00:10:43,810 Now for certificates to be renewed. 132 00:10:43,820 --> 00:10:46,150 They don't actually have to be expired. 133 00:10:46,430 --> 00:10:53,000 Only close to expiring which is good as we don't want a second of having expired certificates. 134 00:10:53,000 --> 00:10:57,690 This also means that we can safely run the renewals daily if they're not due. 135 00:10:57,710 --> 00:10:59,690 Nothing will happen if they're close. 136 00:10:59,690 --> 00:11:07,970 They'll get renewed to do this then to attempt to figure renewal daily will use a simple cron job clear 137 00:11:07,970 --> 00:11:10,850 this run krung tab with it. 138 00:11:10,880 --> 00:11:11,760 E flag. 139 00:11:11,840 --> 00:11:13,380 So editing the crunch job. 140 00:11:13,410 --> 00:11:15,870 Entry's I'll edit with no. 141 00:11:15,880 --> 00:11:23,430 No I don't have any cron jobs at the moment so add a new one right at the bottom of this file at daily. 142 00:11:23,630 --> 00:11:31,040 Been a convenience expression for running a cron job at midnight each day and the command cert bot renew 143 00:11:31,820 --> 00:11:35,680 right this outwith control o exit. 144 00:11:35,960 --> 00:11:42,620 And if I left out my crohn entries we see that daily renewal which is all there is to renewing your 145 00:11:42,620 --> 00:11:46,700 certificates automatically that we will leave this listen. 146 00:11:46,850 --> 00:11:52,580 You should now be comfortable installing search bot generating and installing new lights encrypt certificates 147 00:11:52,970 --> 00:11:55,520 and automating the renewal process. 148 00:11:55,610 --> 00:12:00,290 If you're interested in digging deeper to search but I've linked to some good articles in the list and 149 00:12:00,290 --> 00:12:05,960 resources and as always there's the official said by documentation to help you explore some of the other 150 00:12:05,960 --> 00:12:06,830 commands.