Generating Certificates

We will use Let’s Encrypt to generate certificates for the server. They expire about every 3 months, but the service asks for an email that will send you a reminder to re-generate them. There are services that will handle this for you, but I’ve never wanted to pay for them.

Specifically, we have provided a script that can be used to generate the needed certificates. it takes an email and domain (without wwww) as the first two arguments:

$ /bin/bash scripts/generate_cert.sh myemail@domain.com freegenes.org

And it requires nginx to be installed on the host machine (done with the prepare instance script. I usually walk through the steps manually to make sure that each works as expected, instead of running the entire thing with arguments. To give you a preview of the content, after installing dependencies we use certbot to get certificates (both for www and without):

# Get certificates (might need sudo)
certbot certonly --nginx -d "${DOMAIN}" -d "www.${DOMAIN}" --email "${EMAIL}" --agree-tos --redirect

And the prompt will continue interactively to ask for more details. When it finishes, you should see that the generation was successful:

# Obtaining a new certificate
# Performing the following challenges:
# http-01 challenge for containers.page
# http-01 challenge for www.containers.page
# Waiting for verification...
# Cleaning up challenges

# IMPORTANT NOTES:
# - Congratulations! Your certificate and chain have been saved at:
#   /etc/letsencrypt/live/containers.page/fullchain.pem
#   Your key file has been saved at:
#   /etc/letsencrypt/live/containers.page/privkey.pem
#   Your cert will expire on 2019-09-04. To obtain a new or tweaked
#   version of this certificate in the future, simply run certbot
#   again. To non-interactively renew *all* of your certificates, run
#   "certbot renew"
# - Your account credentials have been saved in your Certbot
#   configuration directory at /etc/letsencrypt. You should make a
#   secure backup of this folder now. This configuration directory will
#   also contain certificates and private keys obtained by Certbot so
#   making regular backups of this folder is ideal.
# - If you like Certbot, please consider supporting our work by:

#   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
#   Donating to EFF:                    https://eff.org/donate-le

We then copy files on the host into /etc/ssl (where the container expects them to be) and create backups. Finally, we generate a dhparam.pem for extra security, and stop nginx. The next step would be to ensure that your domain name has an A record for the ip address, and then (for Google Cloud and similar) to create a networking interface that uses the A record, along with CNAMEs, both using the nameservers specified by the domain registrar. When you are finished, return to the setup.