DEVOPS

Pacman, Terraform, Auto renew certificates, and Letsencrypt with Certbot

DAVID ALVAREZ

DevOps Developer

Currently, our society is evolving faster and faster. Time is of essence nowadays, so information should be accessible within a matter of seconds. Websites taking a long time to load or searches taking too much to retrieve the results make us nervous and we end up quitting the page or search. We need answers quick. Therefore, we have to automate these processes as much as possible, because (we) human beings make mistakes, but machines do not, or at least for the time being… “I, Robot” 😉

In this article, I will show you how to renew Let’s Encrypt certificates automatically. This might sound a little bit boring… so I will use a simple Pacman game to grab your attention. Although it was developed as a support tool for non-technical people, it can be used in new projects, both for business and personal use. And it is only a mouse click away!

Technologies? Tools? Apps?

Technologies we’ll use:

Technology Description Version
AWS Amazon Web Services provider
EC2 Compute instances over AWS
ROUTE 53 Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service
APACHE The Apache HTTP Server Project is an open-source HTTP server for modern operating systems, including UNIX and Windows
TERRAFORM Terraform is a tool for building, changing and versioning infrastructure safely and efficiently. Terraform can manage existing and popular service providers, as well as custom in-house solutions. v0.11.
O.S. Ubuntu is a free and open-source operating system and Linux distribution based on Debian Ubuntu Xenial 16.04. LTS

Terraform

We can find the following definition in its official website (www.terraform.io): “Terraform is a tool for building, changing and versioning infrastructure safely and efficiently. Terraform can manage existing and popular service providers, as well as custom in-house solutions”.

Features

Providers: APIs with which Terraform can communicate for performing the tasks you define. AWS, GCP, Microsoft Azure and OpenStack are examples of providers. You can find the full list here.

Infrastructure as code: you can (and I strongly recommend) have your source code in Gitlab, Bitbucket, Github, SVN or any other repository hosting service to control changes, implement a FEATURE or fix a BUG. Moreover, it is really interesting, because it brings you the opportunity to use CI/CD. Some tools, such as Gitlab, allow you to use CI/CD. Infrastructure as a code is helpful when you want to deploy the same infrastructure in many different provider accounts.

Modules: Terraform modules help you define your infrastructure. In Github, you can find community plugins to help you with your deployment. For example, you can use a Terraform module to create RDS in AWS.

Infrastructure graphics: Graphviz allows you to create graphics with the information of the infrastructure that you have already assembled before. Adding Graphviz graphics to your README really helps people understand your infrastructure code. 

  • Commands

    > terraform init

    It is used to load the backend and associated provider plugin. Once it has been loaded, it is saved in the so-called ‘state file’. It is crucial for Terraform to ensure that no file information is lost. We usually save it in an S3 Bucket.

    > terraform plan

    This is recommended before applying Terraform. It is very useful because it shows the changes Terraform is going to apply to your infrastructure, according to its actual state.

    > terraform apply

    Applies changes to your chosen provider.

How To Install Terraform?

Official Website

Certbot is an automatic client (CLI) that can get Let’s Encrypt (issuing entity with automatic renewal).

Certbot gives you an SSL/TLS certificate with a three-month validity, which is the issuing entity and is automatically renewed.

Certbot was developed by the EFF (Electronic Frontier Foundation) as the ‘official client’ of the Let’s Encrypt certified authority, but it also works with any CA supporting ACME protocol (Automated Certificate Management Environment).

How does it work? A cron is executed, requesting Let’s Encrypt services if the certificate is close to expire, so the certificate is renewed when it expires. The tool allows you to configure Apache, Nginx, Haproxy or Plesk servers automatically with custom certificates.

In my experience, if you want greater control over it, I recommend you to first generate the certificates and then configure the path on the machine.

Let’s deploy Pacman!

5.1. Before deployment

  1. Configure your base variables, change your domain name in the templates file & DNS

File:  templates/init_update_machine.tpl

Set email and domains

    1.  Change DNS to your domain in AWS Route 53 (you must have a domain from any provider (GoDaddy, Gandi, Ovh, etc.)).
AWS Account :

User with the privileges required to create and destroy resources defined in the Terraform files. You must use environment variables to access AWS later on. In your terminal:

export AWS_ACCESS_KEY_ID=XXXXXXXXXXX
export AWS_SECRET_ACCESS_KEY=YYYYYYYYY
export AWS_DEFAULT_REGION=eu-west-1

 

5.2. Deploy

If you have configured everything… You are ready to deploy!

Simply run:

> terraform init
> terraform plan
> terraform apply

You’ll see an output similar to the one shown below:

Everything went so fast… Is it actually deployed?

To test it, wait until the DNS entries propagate, enter your domain and… Ta-da! You now have your SSL configured with the Pacman application running.

Good job!

Here is my Github page, where you can find this project: Pacman automatic cerbot

6.0 Testing Certificates & Logs

You can scan your website in the “Qualys SSL Server Test” results.
You don’t trust me? 🙂  OK… You can force the following to check that /etc/cron.daily/certbot-renew renews the certificate and that it is running correctly:

root@ip-10-0-1-179:~# run-parts –verbose /etc/cron.daily
run-parts: executing /etc/cron.daily/apache2
run-parts: executing /etc/cron.daily/apport
run-parts: executing /etc/cron.daily/apt-compat
run-parts: executing /etc/cron.daily/bsdmainutils
run-parts: executing /etc/cron.daily/certbot-renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not yet due for renewal
Keeping the existing certificate

——————————————————————————-
Certificate not yet due for renewal; no action taken.
——————————————————————————-
run-parts: executing /etc/cron.daily/dpkg
run-parts: executing /etc/cron.daily/logrotate

 

More details →

cat /var/log/letsencrypt/letsencrypt.log


Conclusion

Terraform and Amazon Web Services are two amazing tools. The key thing is the User Data that Amazon provides you in EC2 machines. In addition, using Certbot for the automatic renewal puts an end to expired certificates.  

Github Repo

References

https://www.terraform.io/

https://certbot.eff.org/

https://letsencrypt.org/

https://www.exratione.com/2016/06/a-simple-setup-and-installation-script-for-lets-encrypt-ssl-certificates/

https://github.com/platzhersh/pacman-canvas

Do you want to know more about us?

Share This

Share this post with your friends!