📗 Let’s Encrypt

Overview

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. 😇

- Docs

- Wikipedia

Certbot DNS Gandi

Creating a Wildcard Certificate

Find a DNS plugin.

- PyPI cerbot-dns

- PyPI certbot-plugin-gandi

Create a virtualenv, install certbot and gandi-plugin.

mkdir guisam_xyz_LE_certs && cd guisam_xyz_LE_certs
python -m venv CertbotEnv
pip list --outdated | awk 'NR>2{print $1}' | xargs pip install -U
pip install certbot certbot-plugin-gandi

Create gandi API key file : ~/guisam_xyz_LE_certs/gandi.ini.

# live dns v5 api key
dns_gandi_api_key=xxxxxxxxxxxxxxxxxxxxxxxx

Create your certificate.

certbot certonly -d "guisam.xyz" -d "*.guisam.xyz" \
--authenticator dns-gandi \
--dns-gandi-credentials /root/guisam_xyz_LE_certs/gandi.ini \
--email guisam@guisam.xyz \
--agree-tos

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.guisam.xyz
Unsafe permissions on credentials configuration file: /root/guisam_xyz_LE_certs/gandi.ini
Waiting 10 seconds for DNS changes to propagate

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/guisam.xyz/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/guisam.xyz/privkey.pem
This certificate expires on 2023-04-08.
These files will be updated when the certificate renews.

[...]

Check the wildcard certificate.

openssl x509 -noout -text -in /etc/letsencrypt/live/guisam.xyz/fullchain.pem | \
awk '/Validity|Not|Subject.*CN|Alternative|DNS/'

       Validity
           Not Before: Jan  9 09:52:49 2023 GMT
           Not After : Apr  9 09:52:48 2023 GMT
       Subject: CN = guisam.xyz
           X509v3 Subject Alternative Name:
               DNS:*.guisam.xyz, DNS:guisam.xyz

.. _letsencrypt_certbot_dns_ovh:

Cerbot DNS OVH

OVH guisam.fr former ip

ᐅ dig guisam.fr +noall +answer
guisam.fr.              2974    IN      A       213.186.33.5

ᐅ sudo resolvectl status
ᐅ sudo systemctl restart systemd-resolved.service

ᐅ dig guisam.fr +noall +answer
guisam.fr.              3600    IN      A       82.64.232.18

let’s encrypt certificate OVH

Manual Setup via Certbot (Advanced) If you prefer full control, use Certbot with the dns-ovh plugin to automate DNS challenges:

• Create an API token in your OVHcloud account for DNS API access.

Tip

To create an OVH API token for Let’s Encrypt automation, follow these steps:

1. Access the API Token Creation Page Go to: [https://eu.api.ovh.com/createToken/](https://eu.api.ovh.com/createToken/ )

2. Configure Token Permissions Set the following rights for the API token:

• GET /domain/zone/*

• POST /domain/zone/*

• PUT /domain/zone/*

• DELETE /domain/zone/*

3. Set Token Validity Choose Unlimited validity to avoid frequent renewals, especially for automated scripts.

4. Generate the Token Click Create Token. You’ll receive:

Application Key Application Secret Consumer Key

• Install certbot-dns-ovh plugin.

root@forge:~# mkdir certbot && pytohn3 -m venv certbot/Venv && source certbot/Venv/bin/activate
root@forge:~# pip install certbot certbot-dns-ovh

• Configure /home/guisam/ovh.conf with your OVH API credentials.

root@forge:~# awk -F "=" '{if($2 !~ /ovh-/){$2="xxx"};printf "%-28s %s %s\n", $1, "=", $2}' /home/guisam/ovh.conf
dns_ovh_endpoint             = ovh-eu
dns_ovh_application_key      = xxx
dns_ovh_application_secret   = xxx
dns_ovh_consumer_key         = xxx

• Use the command:

ᐅ sudo certbot certonly --dns-ovh --dns-ovh-credentials /home/guisam/ovh.conf \
--preferred-challenges dns --agree-tos --email guisam@free.fr -d forge.guisam.fr

• Automate renewal using a cron job:

0 3 * * 1 /usr/bin/certbot renew --quiet --post-hook "systemctl reload nginx"

Secure traffic using Let’s Encrypt and cert-manager

Links

• docs.nginx.com - integrate-cert-manager .

• cert-manager.io - docs

1. Deploy cert-manager.

ᐅ helm repo add jetstack https://charts.jetstack.io
ᐅ htlm repo update
ᐅ helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--set config.apiVersion="controller.config.cert-manager.io/v1alpha1" \
--set config.kind="ControllerConfiguration" \
--set config.enableGatewayAPI=true \
--set crds.enabled=true

2. Install webhook OVH via Helm.

ᐅ git clone https://github.com/baarde/cert-manager-webhook-ovh.git
ᐅ cd cert-manager-webhook-ovh
ᐅ helm install cert-manager-webhook-ovh ./deploy/cert-manager-webhook-ovh \
  --set groupName=guisam.fr

3. Create API token

4. Create k8s secret with application_secret

ᐅ k create secret generic ovh-credentials \
  --namespace cert-manager \
  --from-literal=applicationSecret=xxx

ᐅ k get secrets -n cert-manager ovh-credentials \
  -o jsonpath='{.data.applicationSecret}' | base64 -d

cert-manager-webhook-ovh-rbac.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cert-manager-webhook-ovh:secret-reader
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["ovh-credentials"]
    verbs: ["get", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-webhook-ovh:secret-reader
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-webhook-ovh:secret-reader
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: cert-manager-webhook-ovh
    namespace: cert-manager

k apply -f cert-manager-webhook-ovh-rbac.yaml

5. Create ClusterIssuer

6. Create Gateway

7. Create HTTPRoute

helm template notes . -n notes | \
 yq '.| select(.kind == "Gateway" or .kind == "HTTPRoute" or .kind == "ClusterIssuer")'

k get clusterissuers,gtw,httproutes -n notes
NAME                                              READY   AGE
clusterissuer.cert-manager.io/letsencrypt-dns01   True    113m

NAME                                      CLASS   ADDRESS         PROGRAMMED   AGE
gateway.gateway.networking.k8s.io/notes   nginx   10.96.222.193   True         4d17h

NAME                                        HOSTNAMES       AGE
httproute.gateway.networking.k8s.io/notes   ["guisam.fr"]   4d17h