Cisco CloudCenter: Using ‘Let’s Encrypt’

Dimitrij Gorodeckij - 24th July 2017

Before Let's Encrypt was made available to webmasters, obtaining a certificate for https meant spending a fair sum of money through trusted certificate authorities to gain the ability to encrypt traffic for your website. Using a self-signed certificate will work, however in a web browser you always need to add an exception before opening a link and this does get annoying. In this article, I want to explain how easy is to use the Let's Encrypt SSL certificate with CloudCenter Manager instance web GUI.

Let's Encrypt has completely changed the process of adding a website certificate to your website. Not only have they made access to a certificate completely free, they've also made sure both the installation process and the ability to update your certificate is as simple as possible. This means website owners can offer the benefits of https to their site visitors, without the need to spend extra cash in doing so. This results in the the traffic going to any website using Let's Encrypt is, in essence, protected.

For a CCM that based on a Linux server (Centos7), for example, we can rely on the EFF's Certbot to install a Let's Encrypt certificate by simply copying and pasting a few lines of code. I will demonstrate below how easily this can be done. But, before we start, we need to have a domain name. If you don’t have one set up as of yet, you can register one for free with service provider Freenom.

Freenom provides DNS resolution and domains. As the second largest domain provider Freenom operates a large AnyCast infrastructure providing authoritative DNS services for TK, ML, GA, CF and GQ domains. This infrastructure is already in place and it's a no-brainer to offer also resolving DNS services on this large infrastructure for free. Freenom World's DNS resolvers are always close by and fast. 12 Months are free (later you can extend it for next 12 months for free again). Then select a suggested domain name for your CCM instance and point it to your instance's public IP. Changes will be in place in 30 minutes.

Once you have your domain topic sorted, let’s ssh to our CCM instance and install certbot:

yum -y update

yum -y install epel-release

yum install certbot

Once you have done this, you need to run it and provide the root folder of the web page (a check needs to be run in order to check that you are the owner of the domain and server with the associated IP address)

certbot certonly --webroot -w /usr/local/apache-tomcat-8.0.29/webapps/ROOT -d myccmdomain.tk

Now we need to give permissions to the place where certs are saved:

chmod -R ugo+r /etc/letsencrypt/

After this, we need to edit our TomCat configuration files at this path:

/usr/local/apache-tomcat-8.0.29/conf/server.xml

Replace

SSLCertificateFile="${catalina.base}/conf/ssl/example.com.crt"

with SSLCertificateFile="/etc/letsencrypt/live/ myccmdomain.tk /fullchain.pem"

and replace SSLCertificateKeyFile="${catalina.base}/conf/ssl/example.com.key"

with SSLCertificateKeyFile="/etc/letsencrypt/live/ myccmdomain.tk /privkey.pem"

Let’s Encrypt provide a certificate for 3 months, after which you will need to renew them. It is recommended to add the following routine into cron:

crontab /etc/crontab
crontab -e
0    3  1  */3 * certbot renew –quiet
 

That’s all, after navigating to your domain, you should see that now its accessible under https:

If you would like to speak to our CloudCenter team, please get in touch with us here, or if you would like to request a demo then you can do so here.