ThinLinc and Let's Encrypt/certbot | ThinLinc by Cendio

ThinLinc and Let's Encrypt/Certbot

This tutorial will guide you in how to get fully functional certificates from Let's Encrypt for use with ThinLinc's Web Access and Web Administration. Our goal is to avoid things looking like this for users:

We are using Red Hat Enterprise Linux 7 in this example, but most steps will be the same or similar for other distributions.

1. The first step is installing the tool certbot, which is the most common tool used to fetch certificates from Let's Encrypt. For Red Hat Enterprise Linux 7 we can get this tool from the EPEL community repository, so the first step is enabling that:

$ sudo rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

After that it is possible to install certbot using yum:

$ sudo yum install certbot

If your distribution doesn't have certbot packaged then you can download it directly from https://certbot.eff.org/.

2. Next we will do the initial certificate request from Let's Encrypt. First you need to make sure that the HTTP and HTTPS ports are available for certbot. That means you cannot have any other web server running when using the method described here. You also need to check that the firewall doesn't block these ports. For Red Hat this is controlled using the "Firewall Configuration" tool:

At this point we are ready to let certbot do its thing:

$ sudo /usr/bin/certbot --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log
With the standalone plugin, you probably want to use the "certonly" command, eg:

    certbot certonly --standalone

(Alternatively, add a --installer flag. See https://eff.org/letsencrypt-plugins
 and "--help plugins" for more information.)
[root@rhel7-vmware sysconfig]# certbot certonly --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): hostmaster@thinlinc.com
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: a

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: n
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): certdemo.thinlinc.com
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for certdemo.thinlinc.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/certdemo.thinlinc.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/certdemo.thinlinc.com/privkey.pem
   Your cert will expire on 2018-02-18. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

3. We now have fully functional certificates! So let's make sure ThinLinc starts using them:

$ sudo /opt/thinlinc/bin/tl-config /webaccess/cert=/etc/letsencrypt/live/certdemo.thinlinc.com/fullchain.pem
$ sudo /opt/thinlinc/bin/tl-config /webaccess/certkey=/etc/letsencrypt/live/certdemo.thinlinc.com/privkey.pem
$ sudo /usr/bin/systemctl restart tlwebaccess.service
$ sudo /opt/thinlinc/bin/tl-config /tlwebadm/certkey=/etc/letsencrypt/live/certdemo.thinlinc.com/privkey.pem
$ sudo /opt/thinlinc/bin/tl-config /tlwebadm/cert=/etc/letsencrypt/live/certdemo.thinlinc.com/fullchain.pem
$ sudo /usr/bin/systemctl restart tlwebadm.service

This is also a good time to make sure that /vsmagent/agent_hostname is properly configured:

$ sudo /opt/thinlinc/bin/tl-config /vsmagent/agent_hostname=certdemo.thinlinc.com
$ sudo /usr/bin/systemctl restart vsmagent.service

Unfortunately there is currently a bug in ThinLinc that prevents it from reading the private key generated by certbot. To fix this we have to set more restrictive rights on the key:

$ sudo /usr/bin/chmod go-r /etc/letsencrypt/live/certdemo.thinlinc.com/privkey.pem

 

At this point you should be able to access ThinLinc Web Access and Web Administration with a fully approved certificate:

Automatic certificate renewal

Although we now have a proper certificate for our server, it will not stay that way by itself. The certificate will at some point expire and be refused by the browsers. In the case of Let's Encrypt that time is also very short, so we must set up a mechanism that automatically renews the certificate when needed.

Fortunately certbot has exactly such features built in! Unfortunately the packaging is a bit different depending on the distributions, so we will go through how to do it on Red Hat, followed by how to do it in a more general way.

Using Red Hat specific scripts

The Red Hat certbot package includes a systemd timer that will renew certificates when needed. So all we need to do is enable that timer:

$ sudo /usr/bin/systemctl enable certbot-renew.timer
$ sudo /usr/bin/systemctl status certbot-renew.timer

Unfortunately the ThinLinc bug mentioned earlier will cause problems here as well. So we need to add a helper script to certbot. Create the file /usr/sbin/deployhook with the following contents:

#!/bin/bash
/usr/bin/chmod go-r $RENEWED_LINEAGE/privkey.pem

Make sure this file is executable:

$ sudo /usr/bin/chmod a+x /usr/sbin/deployhook

This script will perform the necessary permission changes every time a certificate is renewed. So what's remaining is to make sure certbot calls this script. Do this by editing the file /etc/sysconfig/certbot:

...
#
# An example to run a script to alert each cert would be:
# RENEW_HOOK="--renew-hook /usr/local/bin/cert-notifier.sh"
RENEW_HOOK="--deploy-hook /usr/sbin/deployhook"

# Any other misc arguments for the renewal
# See certbot -h renew for full list
...

General method

In short, we just need to make sure the command certbot renew is run once a day. The most fool proof way of doing this is using the classic cron service. Create the file /etc/cron.d/certbot:

12 2 * * * /usr/bin/certbot renew --quiet

Remember to tell crond to reload the configuration:

$ sudo /usr/bin/systemctl reload crond.service

However, like for the Red Hat method we need to provide a workaround for the ThinLinc bug. So create the same /usr/sbin/deployhook as in the previous section and modify /etc/cron.d/certbot:

12 2 * * * /usr/bin/certbot renew --quiet --deploy-hook /usr/sbin/deployhook