Certbot Logo

Certbot ACME Client

Certbot is a free, open source software tool made by the Electronic Frontier Foundation (EFF) for automatically using Let’s Encrypt certificates.

While we are using the Dehydrated ACME Client to automate certificate renewals for many domains, hostnames and services on our main server, the MX - Mail Exchange Servers only provide one single service (SMTP) and hostname. We therefore use Certbot here, with a simpler setup.

Installation

Warning

Certbot is supporting ECDSA certficates since version 1.10, which was released on December 1st, 2020. As of Janaury 2021 the Certbot version distributed with the Ubuntu software packages repository is only 0.40.0!

The Certbot version in the Ubuntu software packages repository is outdated, we need to remove it, if it has been installed before:

$  sudo apt remove certbot

We then install the SNAP package as per instructions:

$ sudo snap install core; sudo snap refresh core
$ sudo snap install --classic certbot
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot

Configuration

To achieve highest possible compatibility with all mail servers out there, while still being able to use the highest available more modern encryption standards, with servers who support them, we use both, traditinoal RSA and modern ECDSA (elliptic curve cryptogrphy) certficates.

Certbot accepts a global configuration file that applies its options to all invocations of Certbot. Certificate specific configuration choices should be set in the .conf files that can be found in /etc/letsencrypt/renewal.

Global Configuration

/etc/letsencrypt/cli.ini

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
# Because we are using logrotate for greater flexibility, disable the
# internal certbot logrotation.
max-log-backups = 0

# Options used in the renewal process
[renewalparams]

# This is a mail server. there is no webserver running here
authenticator = standalone

account = 0123456789abcdefg0123456789abcde
server = https://acme-v02.api.letsencrypt.org/directory

# Don't break our DANE TLSA DNS records, therefore don't create new keys,
reuse_key = True

RSA Certificate

Create the RSA certificate:

$ sudo certbot certonly --domain maeve.example.net --key-type rsa \
    --cert-name maeve.example.net-rsa

ECDSA Certficate

Create the ECDSA certificate:

$ sudo certbot certonly --domain maeve.example.net --key-type ecdsa \
    --cert-name maeve.example.net-ecdsa

Pre Renewal Hook

/etc/letsencrypt/renewal-hooks/pre/ufw-open-ports:

#!/usr/bin/env bash
echo "Opening ports on the firewall for certificate renewal."
ufw allow 80/tcp
ufw allow 443/tcp

Post Renewal Hook

/etc/letsencrypt/renewal-hooks/post/ufw-close-ports:

#!/usr/bin/env bash
echo "Closing ports on the firewall."
ufw delete allow 80/tcp
ufw delete allow 443/tcp

Deploy Hook

/etc/letsencrypt/renewal-hooks/deploy/keycertchain:

#!/usr/bin/env bash
echo "Concatenating key, cert and chain into a signle file."
cat ${RENEWED_LINEAGE}/privkey.pem ${RENEWED_LINEAGE}/fullchain.pem \
    >/etc/postfix/chainfile.pem

/etc/letsencrypt/renewal-hooks/deploy/postfix-reload:

#!/usr/bin/env bash
echo "Reloading Postfix."
postfix reload