schobes blog

Let's Encrypt - Mojo::ACME

Written by schobes on
Permalink

Wow, it has been quite a while.

So apparently since the last time we spoke StartSSL got in trouble with the major browsers because it was issuing SHA1 signed certificates after the stated cut off date. To make matters worse, they forged the issuance date in attempt to remain on SHA1.

Of course, here at CodeRiot.com, we got caught up in this issue, as we were using StartSSL (StartCOM) as our SSL certificate vendor. We had been planning on moving to Let's Encrypt for some time, but given the browsers were now displaying CodeRiot.com as insecure, the change had to be made.

Enter Mojo::ACME! This module made it super easy to request and receive certificates. I would like to provide some details on how we did this and why it was so easy.

First, enter the necessary research. We turned to Joel Berger with Super Easy SSL Certs for Mojolicious Apps. After testing his example application, we were able to use the staging server for Let's Encrypt to get everything tested before attempting it in production.

Contents of myapp.pl:

#!/usr/bin/env perl
use Mojolicious::Lite;
plugin 'ACME';
get '/' => {text => 'Hello World'};
app->start;

We then generated our test (the -t option) account key with the following command

$ ./myapp.pl acme account register -t -a account.key
Writing account.key

So we have a registered account. Now we need to make sure our Mojo app is available under our domain at port 80. Since we use NGINX as a reverse proxy, it is pretty simple.

## acme
location /.well-known/acme-challenge/ {
    proxy_pass http://127.0.0.1:8443;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto "http";
}

And then we startup our application with the following options.

$ ./myapp.pl --listen=http://127.0.0.1:8443

With our Mojo app running behind our reverse proxy we can now generate our SSL key and certificate using the test account.

$ ./myapp.pl acme cert generate -t -a account.key -n www.coderiot.com \ 
  -d www.coderiot.com -d coderiot.com
Writing www.coderiot.com.key
Writing www.coderiot.com.crt

Amazing! We have successfully tested this and are now able to produce the real key without -t options.

We turned this into a full blown Mojo app (instead of Mojolicious::Lite). This way we can handle more domains and add code for automation (Minion + cron anyone?).

Stay tuned for updates about how to automate all of this.


Comments

No Comments Yet!