How To Use Dehydrated & Lexicon To Issue A Let’s Encrypt Certificate Via TXT Record Validation

Posted by Lunar on December 20, 2017
Posted in: SysAdmin.

So… I recently started using BelugaCDN for XMPP.is, as they were kind enough to give us free service (being a non-profit and all). But I found that they don’t have any kind of automated (easy) way to install Let’s Encrypt certs. I’m too cheap to pay for certs, and besides, we have Let’s Encrypt after all. Now, this tutorial is a bit hacky when it gets to the BelugaCDN part, so don’t say I didn’t warn you.. I’m only scripting renewals for one subdomain at the moment.. I setup the CNAME cdn.xmpp.is -> cdn.xmpp.is.i.belugacdn.com with Cloudflare, spun up a Debian Stretch VM and my journey began..

1. Getting a certificate from Let’s Encrypt

Make sure the proper dependencies are installed.
apt install python-pip build-essential python-dev curl libffi-dev libssl-dev openssl curl sed grep mktemp git

Install Lexicon with python-pip.
pip install dns-lexicon

Create a user.
root@moon:~# useradd -m -s bash letsencrypt

Login to the user.
root@moon:~# su letsencrypt

Go to home directory.
letsencrypt@moon:~$ cd /home/letsencrypt

Clone the Dehydrated repository.
letsencrypt@moon:~$ git clone https://github.com/lukas2511/dehydrated /home/letsencrypt

Make the script an executable.
letsencrypt@moon:~$ chmod +x /home/letsencrypt/dehydrated/dehydrated

Add domain to list.
letsencrypt@moon:~$ echo "cdn.xmpp.is" > /home/letsencrypt/dehydrated/domains.txt

Download the default Dehydrated script and make it an executable.
letsencrypt@moon:~$ wget -P /home/letsencrypt/dehydrated https://raw.githubusercontent.com/AnalogJ/lexicon/master/examples/dehydrated.default.sh
letsencrypt@moon:~$ chmod +x /home/letsencrypt/dehydrated/dehydrated.default.sh

Add needed export variables to dehydrated.default.sh. You’ll need your global Cloudflare API key. Example:

export LEXICON_CLOUDFLARE_USERNAME=username@example.com
export LEXICON_CLOUDFLARE_TOKEN=234dcef90c3d9aa0eb6798e16bdc1e4b

Accept the terms…
/home/letsencrypt/dehydrated/dehydrated --register --accept-terms

Launch the script! After this you should have your cert issued shortly after.
/home/letsencrypt/dehydrated/dehydrated --cron --hook /home/letsencrypt/dehydrated/dehydrated.default.sh --challenge dns-01

By default the cert/key will be located in the directory of the script under “certs”. Example:

deploy_cert called: cdn.xmpp.is, /home/letsencrypt/dehydrated/certs/cdn.xmpp.is/privkey.pem, /home/letsencrypt/dehydrated/certs/cdn.xmpp.is/cert.pem, /home/letsencrypt/dehydrated/certs/cdn.xmpp.is/fullchain.pem, /home/letsencrypt/dehydrated/certs/cdn.xmpp.is/chain.pem

2. Pushing your new certificate to BelugaCDN

Now the next part is a bit more annoying. I’m slightly disappointed that BelugaCDN doesn’t have easier ways to automate this. Although their API seems good, the process is completely unintuitive for newbies. And the only way to easily do it, is to paste the certificate, chain and private key into the site. Obviously that method (if you’re using Let’s Encrypt) would require you to paste the new cert in every 3 months, which is cumbersome.

I didn’t feel like making a script to create the initial certificate in this next part, so I simply did this manually. Renewals CAN be scripted easily though with tools readily available.

Logout of your user if still logged in.
letsencrypt@moon:~$ exit

Install beluga-py with pip.
root@moon:~# pip install beluga-py

Log back in.
root@moon:~# su letsencrypt

Go back to home base.
letsencrypt@moon:~$ pwd
/home/letsencrypt

Push the initial cert. After this finishes, wait until BelugaCDN pushes it to their edge nodes. Example:
letsencrypt@moon:~$ beluga --username email@example.com --password 3x@mp13 --path ssl-certificates --method POST --body '{"certificate": "-----BEGIN CERTIFICATE-----\n[certificate data]\n-----END CERTIFICATE-----","key": "-----BEGIN CERTIFICATE-----\n[certificate data]\n-----END CERTIFICATE-----", "site": "cdn.xmpp.is"}'

If you want to check the status on BelugaCDN’s end, you can use a command like this:

letsencrypt@moon:~$ beluga --username example@example.com --password PASSWORD --path ssl-certificates

You will see the status as “pending” until BelugaCDN fully pushes it. After, it will state “active”.

“status”: “pending”

Scripting renewals (ghetto)

To script renewals in this next part, you can download this neat python script that does everything for you.
letsencrypt@moon:~$ git clone https://github.com/masipcat/beluga-lets-encrypt /home/letsencrypt

Just edit the config.json in that folder, point it to the correct location of your certs, put in your user/pass and domain and launch it!
letsencrypt@moon:~$ cd /home/letsencrypt/beluga-lets-encrypt; python renew.py

You can add this to your “letsencrypt” user’s crontab. To edit just enter “crontab -e” when logged in.

letsencrypt@moon:~$ crontab -l
@monthly /home/letsencrypt/dehydrated/dehydrated –cron –hook /home/letsencrypt/dehydrated/dehydrated.default.sh –challenge dns-01; cd /home/letsencrypt/beluga-lets-encrypt; python renew.py