Let's Encrypt, Kazoo It! and Cloudflare

I've heard of Let's Encrypt for a while but never spent time to try it out until recently. Here is my experience for getting a certificate for this blog.

I first went with the official client known as certbot. Ran it on a Debian VPS that hosts this blog. Right away it checked and wanted to update all Debian packages that required update. If I wanted to skip this process, I've to specify --no-bootstrap. I haven't updated my Debian system for a while, so the list of update looks horrible. ctrl-c was my immediate response.

Repeated with --no-bootstrap. Now it reported missing Python. I installed Debian package "python-minimal" which was a download of tens of of megabyte. Repeated certbot. Now it reported some missing Python libraries. I tried to get those and stopped right after apt-get told me the size after installation will be over a few hundred megabytes. Unwind everything. Goodbye certbot.

Quite horrible experience so far.

Gave up Let's Encrypt? Surely there would be people alike thinking of alternative ways. Indeed. Google turned up dehydrated. I liked the idea - a client only using Bash. I didn't try because another contestant showed up at the same time. That's it, acme.sh.

The elegant solution

acme.sh is a Bash-only client and lots of people praise about it. Cloudflare manages my domain. Below is what I did to get a Let's Encrypt certificate using Cloudflare DNS verification.

Install acme.sh

$ curl https://get.acme.sh | sh

Get the certificate

$ export CF_KEY=<my cloudflare global API key>
$ export CF_Email=<my email address with CF>
$ acme.sh --issue -d kazoo.ga -d <subdom1>.kazoo.ga -d <subdom2>.kazoo.ga --dns dns_cf

I found the CF global API key from CF portal under "My Settings > Global API key". --dns dns_cf command line option indicates using DNS based domain verification.

Let's Encrypt accepts multiple ways to verify a domain indeed under your ownership. DNS verification gives me flexibily to run issue/renewal client on a different machine than the host with the domain name. I ran the above commands from my AP (RT-AC56U)! Here is the local repository where acme.sh stores the certificate:

Your cert is in  /jffs/.acme.sh/kazoo.ga/kazoo.ga.cer  
Your cert key is in  /jffs/.acme.sh/kazoo.ga/kazoo.ga.key  
The intermediate CA cert is in  /jffs/.acme.sh/kazoo.ga/ca.cer  
And the full chain certs is there:  /jffs/.acme.sh/kazoo.ga/fullchain.cer  

From setup to finish, it's less than 15 minutes. The above example is a vanilla use case taken from acme.sh's how to install page. The certificate was issued to kazoo.ga with Subject Alternative Names (SAN) including the domain itself and two other sub-domains I provided as part of -d command line options.

kazoo.ga's certificate issued by Let's Encrypt

acme.sh takes up less than 400kbyte disk space. It also configures a daily cron job that checks your local repository for any Let's Encrypt certificates requiring renewal. It'll renew at 80th day - ten days before the 90-day expiry period of all Let's Encrypt certificates.

The ugly bit about HTTPS sites protected by CF

For free-tier users, Cloudflare does not allow the sites to present their own certificates to end users. CF uses its certificate known as "Universal SSL" certificate instead. It's basically a wildcard certificate owned by CF and accommodates many domain names under its SANs. You can view this site's "Universal SSL" cert by clicking the padlock in Safari or press ctrl-shift-I in Chrome (Windows) or cmd-option-I in Chrome (Mac).

Here is the deal. Traffic between my site and Cloudflare will be encrypted with my own certificate. CF decrypts the content, cache it and re-encrypts with CF's Universal SSL cert and delivers to you. End users see the "Universal SSL" cert at the end.

Now comes the uglier part for HTTPS sites routed through Cloudflare. For sites using CF's "Universal SSL", end users are only guaranteed the leg between CF and the user's PC is encrypted. They cannot tell if the leg between the site and CF is encrypted or not. It hugely depends on the site owner's vigilance to configure SSL on his/her server as well as turning on appropriate knobs in Cloudflare panels ("Full SSL" or "Full SSL - strict" are recommended under Crypto panel).

So don't trust the green padlock for uploading sensitive data to such sites. Nevertheless, kazoo.ga is fully encrypted end-to-end (between the site and CF, and between CF and you). Also no sensitive data is being asked. Enjoy your stay.


Stephen Yip

Something about you know. Come and share.

comments powered by Disqus