11 May 2020

Using Let's Encrypt certificates with Oracle Cloud Load Balancer

If you are developing/testing an application, or if you want to save some money on your digital certificates, Let's Encrypt is probably your best option.

Let's Encrypt is a non-profit Certificate Authority (CA) that issues free certificates that are Domain Validated (DV).
Several big names sponsor this project, such as Cisco, Facebook, Mozilla, Akamai, to name a few.

The only catch is that the digital certificates are issued only for 3 months, and you must renew them before they expire. This can be a bit of a hassle, but fortunately we can automate the process to use these free certificates in Oracle Cloud Infrastructure (OCI)

OCI allow you to use Load Balancers (LB), that can be used as.... well, you guessed it, a Load Balancer, to balance the load over several servers (either HTTP or TCP), however one of the features that LBs can also provide is SSL offloading or SSL termination.
SSL offloading transfers the processing of the TLS handshakes and setup of the encrypted tunnel between the webserver and the client to the Load Balancer, leaving the webservers with more free resources.

This is true if you don't want end-to-end encryption (E2EE), but that's another story.

In this post my intention is to show how to use Let's Encrypt free certificates and automatically renew and upload them to OCI LB using OCI CLI.

For this to happen there are three simple steps:
1 - Create a free Let's Encrypt certificate using certbot tool
2 -
Use the OCI CLI to update the Load Balancer with the certificate
3 - Automate the certificate renewal and upload to the Load Balancer

A Physical or Virtual Machine can be used to accomplish this. Remember that Oracle Cloud offers two, always free virtual machines. I will use one of these free Virtual Machines with Oracle Linux 7.8.

Let's assume you already have the CLI correctly installed and configured (this is out of scope of this demo) in my case I'm using Dynamic Groups.

Let's also assume a Load Balancer has already created and configured.


Step 1:
Install EFF tool to manage certificates called certbot. I opted to download the latest version from EFF website:
$ sudo wget -P /usr/local/bin/ https://dl.eff.org/certbot-auto
$ sudo chown root /usr/local/bin/certbot-auto

Let's make it executable:
sudo chmod +x /usr/local/bin/certbot-auto

Check if installed and working, the first time you run the script, depending on your OS and update status, it will download and install all dependencies:
$ certbot-auto --version
certbot 1.3.0


Step 2:
Now that Certbot is installed, let's issue a certificate for domain tls-example.com:
$ sudo certbot certonly --manual --preferred-challenges dns -d tls-example.com
Since these certificates are DV (Domain Validated) and not OV (Organisation Validated) or EV (Extended Validation), there are two methods to prove you own the domain, using a DNS or HTTP challenge.

In this case I will use the DNS challenge (--preferred-challenges dns), this means I will be given a TXT record to publish in my DNS so I can prove I own, and have access to the domain.
The HTTP method will give you the name of a filename and the content, so Let's Encrypt connects you to your website and checks the existence of that file.

When you run this command, you'll be asked for an email address and to agree with the terms of service.

Once this is done the TXT DNS record will be given to you:

Please deploy a DNS TXT record under the name
_acme-challenge.tls-example.com with the following value:
gWFQrKRpn4JZG5NvqYf0z8uoMmfbIDAYjQORHt_NISE

I use OCI DNS, so I just need to create the TXT record on the DNS management console:

Oracle cloud management console
Oracle Cloud DNS management console


After the DNS record has been created, don't forget to publish the changes and give it a couple of seconds before pressing enter on the command line to make sure the record is available to be queried.

If everything goes OK, you'll receive a message like:
 Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/tls-example.com/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/tls-example.com/privkey.pem
  Your cert will expire on 2020-07-23. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot-auto
  again. To non-interactively renew *all* of your certificates, run
  "certbot-auto renew"

Now we have the private key for the certificate and the certificate on our Virtual Machine, all good!!


With the certificate and private key in our server, now we need to upload them to our Cloud environment. For that we will use the script provided below. This will use OCI CLI to upload and update the listener with the certificate:

Download the full script here: Update_Certificate_in_LB.sh

Update the variables according to your needs, like the Load Balancer OCID, location of the OCI CLI, name of the listener, etc...
My Virtual Machine is configured with Dynamic Groups, (that's why the option --auth is there), if you are not using Dynamic Groups, then comment this line.
The script will create a certificate with the current date . This makes it easier to track which certificate are we talking about.

Don't forget to run the script as root (or use sudo), since the script needs to access the certificate and private key files in Let's Encrypt directory.
After running the script, login to the Oracle Cloud console and you should see the listener configured with your certificate.

3 - Automate the certificate renewal and upload to the Load Balancer

Step 1
Enable the certificate renewal process, run the following command:
$ sudo systemctl enable --now certbot-renew.timer

And you should receive the following output:
Created symlink from /etc/systemd/system/timers.target.wants/certbot-renew.timer to /usr/lib/systemd/system/certbot-renew.timer.

Step 2
We need to upload the certificate to the LB automatically when the certificate is renewed. In order to achieve this we will copy the script used previously and save it in /etc/letsencrypt/renewal-hooks/deploy/

This way every time the certbot renew command is issued and completes successfully, the script inside this folder will be executed.

This script can be improved to remove the old certificates after a successful deployment of the new certificate, or even leave the previous version and delete the older ones.

Have a great day and keep clouding ;-)

Oracle Cloud Free Trial account:
If you don't have an Oracle Cloud Infrastructure account, sign up for a free trial and get US$300 in free credits: https://www.oracle.com/cloud/free/

No comments:

Using Let's Encrypt certificates with Oracle Cloud Load Balancer

If you are developing/testing an application, or if you want to save some money on your digital certificates, Let's Encrypt is probably ...