Letsencrypt on Debian 10 – switching to new ‘snap’ based Certbot

Official instructions: https://certbot.eff.org/lets-encrypt/debianbuster-nginx

If you’ve upgraded a machine Debian 10 (Buster) or later you’ll see a warning like this:

/etc/cron.weekly/certbot:
Your system is not supported by certbot-auto anymore.
certbot-auto and its Certbot installation will no longer receive updates.
You will not receive any bug fixes including those fixing server compatibility
or security problems.
Please visit https://certbot.eff.org/ to check for other alternatives.

Certbot, the tool for updating Let’s Encrypt certificates, is now distributed via Snap.  If you haven’t heard of that, Snap is a new package format – the point is it’s more cross platform – so a single package will currently support Ubuntu, Debian, Fedora, Arch Linux, Manjaro, and CentOS/RHEL.  More details >

This means you need to:

then, typically you already have a weekly cron file that calls certbot to renew the certificates, and restarts your apache or nginx server (the latter step is important because otherwise it’ll keep serving a cached copy of the old certificate, which will eventually expire).

Here’s the (old) contents of my /etc/cron.weekly/certbot:

#!/bin/bash
/home/william/letsencrypt/certbot-auto renew
service nginx reload

You need to remove the line calling certbot-auto, but leave the one restarting nginx once a week.  You might choose to rename the cron file or add a comment to make it clearer to your future self why it’s needed.

Next, check snap is to up to date:

sudo snap install core; sudo snap refresh core

Install the certbot package:

sudo snap install --classic certbot

Then you can test a manual update either:

sudo certbot certonly --nginx

(on the interactive version you’re presented with a list of sites to choose from)

Finally, do a renewal “dry-run” to check for problems:

sudo certbot renew --dry-run

The key points about dry-runs:

  • they use the Let’s Encrypt staging environment, so you don’t hit rate limits
  • therefore, real certificates aren’t requested or saved
  • it’s basically testing that Let’s Encrypt end is able successfully handshake with your server, can write files to correct places etc.

Renewals

Renewals can use one of three methods: crontab, cron files or systemctl timers.

On the servers I’ve installed so far, certbot has automatically setup a timer. You can verify it has by running systemctl as follows:

$ systemctl list-timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Mon 2021-02-15 12:12:00 GMT 1h 43min left Mon 2021-02-15 07:57:03 GMT 2h 31min ago snap.certbot.renew.timer snap.certbot.renew.service
```

So certificate refreshes will happen automatically, but remember you need to handle regularly restarting your web server (and weekly is as good an interval as any to do that).

Here’s another link to the documentation:
https://certbot.eff.org/lets-encrypt/debianbuster-nginx

Drupal 6 Nginx config fragment

Here, for anyone needing to host a D6 LTS site, is a working Nginx fragment (tested with Nginx 1.10.3).

You can reuse your standard Drupal 8 config for everything else (e.g. images, protecting private files and so on).

# Drupal 6 LTS
index index.php;

location / {
    if (!-e $request_filename) {
       rewrite ^/(.*)$ /index.php?q=$1 last;
    }
}

Ordinarily, for modern Drupal sites, I’d use the following standard try_files statement, but I couldn’t get it serve D6 subpages correctl (it just redirects to the homepage, even with the q=… added – email me if you know why).

# Drupal 8
location / {
    try_files $uri /index.php?$query_string;
}

 

 

 

HowTo: Nginx with HTTP2 support on Debian Jessie

The original problem:

  • SPDY has been replaced by HTTP2, which is better in a number of ways
  • As of June 2016, Chrome has dropped support for SPDY
  • HTTP2 uses ALPN
  • ALPN requires OpenSSL 1.0.2
  • Debian Stable (aka Jessie aka v8) and others OSes only had 1.0.1

What’s changed:

Procedure:

  • Add jessie-backports and jessie-nginx-http2 (ansible playbook)
  • Upgrade openssl them from the correct place: sudo apt-get install -t jessie-backports openssl
  • sudo apt-get install nginx-full (which should pull in various libnginx-mod packages)
  • Change any references in your Nginx config files from spdy to http2
  • Run sudo nginx -t to verify the configuration is valid
  • Start server

Verify HTTP2 is working (Chrome or Opera):

Developer Tools, Network tab, reload page, enable the Protocol column, look for H2, which means HTTP2.

Extra step for LetsEncrypt / Certbot compatibility:

A few days after doing this I got the following error when my weekly cronjob for renewing LetsEncrypt certificates ran:

    build/temp.linux-x86_64-2.7/_openssl.c:415:30: fatal error: openssl/opensslv.h: No such file or directory
     #include <openssl/opensslv.h>

And on running it manually I had this:

The following packages have unmet dependencies:
 libssl-dev : Depends: libssl1.0.0 (= 1.0.1t-1+deb8u6) but 1.0.2k-1~bpo8+1 is to be installed
 Recommends: libssl-doc but it is not going to be installed

The solution was just to pull in libssl-dev from jessie-backports too:

apt-get install -t jessie-backports libssl-dev

Note, in my case, I have a git clone of certbot rather than a packaged version, though it is now available as a backport for Debian Jessie.

Chrome, SPDY, HTTP/2, Nginx, NPN, APLN, OpenSSL and Debian

Mattias Geniar has written this up in some detail, but to summarise:

Nginx 1.10 (the new major, stable version) has replaced SPDY with HTTP/2. But as of this week, Chrome now only supports HTTP/2 using ALPN.  ALPN requires OpenSSL 1.0.2.  But stable Debian (and CentOS, and other flavours of Linux) only have 1.0.1 and, right now (it seems to me)  there’s not a lot of hope Debian will back-port the new version: many other services also use OpenSSL, they’d all need to be checked/updated…

If you’re using DotDeb on Jessie (aka Debian 8), the nginx packages (nginx nginx-common nginx-full etc.) will be held back when running apt-get upgrade.

What should I do?  Updated – SOLUTION AVAILABLE! (2 March 2017) A newer OpenSSL has been backported.  You need to add some extra repositories and use a special command to install it, but that’s it. Full Instructions