Scenario

You have some webservers or mailservers in your LAN which you want to work with the Let’s Encrypt SSL service. It provides the creation of free SSL certificates which are known by most browsers.

The only drawback is, they are valid for only 90 days. So if you do not want to renew manually every 3 months, you can automate most parts of the process.

In this tutorial, we will create a certificate server which provides always up-to-date certificates, so they can be fetched by other servers in your LAN.

Steps

Certbot, the LetsEncrypt utility for getting certificates e.g. under Ubuntu, basically needs an open outgoing Port 80 TCP, and also an incoming Port 80 TCP. I didn’t want to open outgoing internet for all of the servers, so I decided to create a separate LetsEncrypt certificate server which runs certbot regularly.

Create a new Ubuntu Server virtual machine: Default setup, install Samba/CIFS, Apache2 and certbot.

Configure:

  • Apache’s ports.conf and 000-default.conf to only listen on port 81, docroot: /share
    • (Do not use port 80 because certbot needs it later)
  • Samba’s smb.conf: Add a public read-only share “certs” for /share

You might already have another Apache webserver running which listens on your router’s public port 80, so we have to redirect certain request from there to the new cert server.

Modify every virtual host config of Apache which needs SSL certificates like in this example:

Note: In this example, certbot always uses port 80! Make sure to consider all of your subdomains, e.g. also for your mailserver etc.

The following script can be run as a cronjob (crontab -e), it gets and renews the certificates from LetsEncrypt and creates password protected zip files for easy local distribution:

 

The main part is done, we should be able to get the certificate zip files via CIFS and browser (port 81).

Now we want the “client” servers to fetch the certificates from the local certs server.

Example script for an Ubuntu Apache webserver “client”

Make sure your Apache certificate config and the script’s certpath point to the same directory.

 

Example for MS Exchange 2010/2013/2016

This is not a functional Powershell script, but some useful commands to create one:

 

 

  [email protected]