How To Use Dehydrated & Lexicon To Issue A Let’s Encrypt Certificate Via TXT Record Validation

Posted by Lunar on December 20, 2017
Posted in: SysAdmin, Tech, Tutorials.

Update: 1/28/20, this below method is very hacky and likely no longer necessary for BelugaCDN. I would not recommend following this tutorial.

So… I recently started using BelugaCDN for XMPP.is, as they were kind enough to give us free service (being a non-profit and all). But I found that they don’t have any kind of automated (easy) way to install Let’s Encrypt certs. I’m too cheap to pay for certs, and besides, we have Let’s Encrypt after all. Now, this tutorial is a bit hacky when it gets to the BelugaCDN part, so don’t say I didn’t warn you.. I’m only scripting renewals for one subdomain at the moment.. I setup the CNAME cdn.xmpp.is -> cdn.xmpp.is.i.belugacdn.com with Cloudflare, spun up a Debian Stretch VM and my journey began..

1. Getting a certificate from Let’s Encrypt

Make sure the proper dependencies are installed.
apt install python-pip build-essential python-dev curl libffi-dev libssl-dev openssl curl sed grep mktemp git

Install Lexicon with python-pip.
pip install dns-lexicon

Create a user.
[email protected]:~# useradd -m -s bash letsencrypt

Login to the user.
[email protected]:~# su letsencrypt

Go to home directory.
[email protected]:~$ cd /home/letsencrypt

Clone the Dehydrated repository.
[email protected]:~$ git clone https://github.com/lukas2511/dehydrated /home/letsencrypt

Make the script an executable.
[email protected]:~$ chmod +x /home/letsencrypt/dehydrated/dehydrated

Add domain to list.
[email protected]:~$ echo "cdn.xmpp.is" > /home/letsencrypt/dehydrated/domains.txt

Download the default Dehydrated script and make it an executable.
letsencr[email protected]:~$ wget -P /home/letsencrypt/dehydrated https://raw.githubusercontent.com/AnalogJ/lexicon/master/examples/dehydrated.default.sh
[email protected]:~$ chmod +x /home/letsencrypt/dehydrated/dehydrated.default.sh

Add needed export variables to dehydrated.default.sh. You’ll need your global Cloudflare API key. Example:

export [email protected]
export LEXICON_CLOUDFLARE_TOKEN=234dcef90c3d9aa0eb6798e16bdc1e4b

Accept the terms…
/home/letsencrypt/dehydrated/dehydrated --register --accept-terms

Launch the script! After this you should have your cert issued shortly after.
/home/letsencrypt/dehydrated/dehydrated --cron --hook /home/letsencrypt/dehydrated/dehydrated.default.sh --challenge dns-01

By default the cert/key will be located in the directory of the script under “certs”. Example:

deploy_cert called: cdn.xmpp.is, /home/letsencrypt/dehydrated/certs/cdn.xmpp.is/privkey.pem, /home/letsencrypt/dehydrated/certs/cdn.xmpp.is/cert.pem, /home/letsencrypt/dehydrated/certs/cdn.xmpp.is/fullchain.pem, /home/letsencrypt/dehydrated/certs/cdn.xmpp.is/chain.pem

2. Pushing your new certificate to BelugaCDN

Now the next part is a bit more annoying. I’m slightly disappointed that BelugaCDN doesn’t have easier ways to automate this. Although their API seems good, the process is completely unintuitive for newbies. And the only way to easily do it, is to paste the certificate, chain and private key into the site. Obviously that method (if you’re using Let’s Encrypt) would require you to paste the new cert in every 3 months, which is cumbersome.

I didn’t feel like making a script to create the initial certificate in this next part, so I simply did this manually. Renewals CAN be scripted easily though with tools readily available.

Logout of your user if still logged in.
[email protected]:~$ exit

Install beluga-py with pip.
[email protected]:~# pip install beluga-py

Log back in.
[email protected]:~# su letsencrypt

Go back to home base.
[email protected]:~$ pwd
/home/letsencrypt

Push the initial cert. After this finishes, wait until BelugaCDN pushes it to their edge nodes. Example:
[email protected]:~$ beluga --username [email protected] --password [email protected] --path ssl-certificates --method POST --body '{"certificate": "-----BEGIN CERTIFICATE-----\n[certificate data]\n-----END CERTIFICATE-----","key": "-----BEGIN CERTIFICATE-----\n[certificate data]\n-----END CERTIFICATE-----", "site": "cdn.xmpp.is"}'

If you want to check the status on BelugaCDN’s end, you can use a command like this:

[email protected]:~$ beluga --username [email protected] --password PASSWORD --path ssl-certificates

You will see the status as “pending” until BelugaCDN fully pushes it. After, it will state “active”.

“status”: “pending”

Scripting renewals (ghetto)

To script renewals in this next part, you can download this neat python script that does everything for you.
[email protected]:~$ git clone https://github.com/masipcat/beluga-lets-encrypt /home/letsencrypt

Just edit the config.json in that folder, point it to the correct location of your certs, put in your user/pass and domain and launch it!
[email protected]:~$ cd /home/letsencrypt/beluga-lets-encrypt; python renew.py

You can add this to your “letsencrypt” user’s crontab. To edit just enter “crontab -e” when logged in.

[email protected]:~$ crontab -l
@monthly /home/letsencrypt/dehydrated/dehydrated –cron –hook /home/letsencrypt/dehydrated/dehydrated.default.sh –challenge dns-01; cd /home/letsencrypt/beluga-lets-encrypt; python renew.py