Using let's Encrypt for free SSL Certs with Netscaler

Using let's Encrypt for free SSL Certs with Netscaler

If you haven ' t heard, let's Encrypt (https://letsencrypt.org/) has it free and the open CA service up and running and publ IC Beta.

That's means right now, and you can go to get yourself free SSL certificates for any web property that's you own.

These SSL certs is cross-signed by identrust, meaning they would be trusted by all major browsers. The premise behind a automated system by which certificates can being issued on a routine basis.

These certificates is short lived, only all day, but that's intentional, as they ' re meant to enforce the use of the Provid Ed Automation. This keeps the process secure, it ensures the proper ownership of the website and validity of the request, and provides a Consistent mechanism for acquiring and applying certificates.

During This beta period there was a number of scenarios in which full automation is supported:

• Apache which is your traditional and widely used webserver
• Standalone server for web-facing services, need SSL but aren ' t necessarily doing traditional http/web
• Webroot for using a existing directory on an existing webserver

In these scenarios, the Let's Encrypt automation is launched via cron (or whatever), which in turn contacts the CA, provid ES an environment against which the CA can validate the domain owner and then installs the created/updated certificate Docs here).

Unfortunately (but predictably), there's no direct integration or automation between the Let ' s Encrypt service and Netscal ER (let's encrypt is still beta afterall). The Let's Encrypt CA can, however, be used to issue certificates that's then used by the Netscaler, but this is a manual Process. The good news is that the Let's Encrypt automation is module-based, so some intrepid soul can create a Netscaler module th At works with the service.

This post, while not as good as a module, is my overview for using Let's Encrypt manual process in conjunction with NETSCA Ler to get some free SSL certs.

I'll cover the following topics:

• Creation of a let ' s Encrypt PKI server. In the automated apache/webroot scenarios, the "not necessary as the" is "all done" on the webservers Themselves.&nbs P For the manual method, a server must is used as a launch pad for the automation and would also be used to work/script with The Netscaler. Also Note that I ' m just calling it a PKI server and that's not something so you'll see when researching let's Encrypt, And I would guess that this kind of goes against their vision. The idea is automation of these processes. By adding a intermediate server into the mix, we are definitely complicating matters. In an ideal world, the Netscaler would has something built-in that would being aware of how to work with Let's Encrypt or a Module would is created that tells let's Encrypt know how to work with the Netscaler. But hey, the this works too.
• Leverage the Netscaler to satisfy the challenge/response requirement for let's Encrypt ' s certificate issuance process. We'll use a responder policy on a content-switching vserver to does this.
• Create the certificate. Via let ' s Encrypt scripts
• Converting the issued certificates to a Netscaler compatible format, and installing those certificates for use by a Netsca Ler VServer.

Keep in mind the This service has me giddy because I ' m constantly changing my lab and needing (wanting) new certs. But by no means are this limited to lab use. I intend to use these certificates as a rapid I-acquire certificates for POCs where things can slow down when trying To get certs issued or paid for.

Enterprises should also is looking at this as a potential the-to offset the ongoing issue/renew costs of certificates from Non-free vendors. Of course these certificates is not necessarily appropriate for large, Enterprise-scale Web properties, as the more Advan CED site verification Options is not covered by these certificates. But I think there's plenty of opportunity to secure some sites for free, would otherwise not be.

A Few disclaimers:

• I assume you know how to work in Linux.
• I assume that you ' ve visited http://letsencrypt.org and has an understanding on the certification process.
• I assume you is fairly comfortable with Netscaler, and basic networking.
• I assume you know how to SSL certs work.  

So here we go:

Step 1:get yourself some Linux and install it.

I like OpenSUSE, or Cent. Both has easy, fast network install boot ISOS. Here's OpenSUSE on XenServer as a example, but use whatever for you want. There is minimal requirements and I give you the commands to install what's needed on top of most base deployments.  You would just has to find your appropriate package Manager (Zypper, yum, apt, etc). I ' m not going-to-link to the Linux install media. Google is your friend.

• Create a VM for your Server.  For OpenSUSE (13+) It's OK to use the SLES12 template. "Other install media" are also an acceptable template.
  

• Give it a name
  

• Mount the net installer ISO (or the full DVD. Net installer is just my preference)
  

• I gave mine plenty of giddy-up.
  

• Again, plenty of disk space. Nothing was really going to accumulate here. Thin provisioned disk, no commitment.
  

• Put it on a network
  

• OpenSUSE ' s installer is festive at the time of this writing.
  

• Agree to the EULA
  

• I include online repos So, everything is up to date.
  

• I go with defaults on partitioning. No need to get fancy here.
  

• I included the listed repositories. Again, depending on distro YMMV.
  

• I prefer KDE to GNOME and reality this is basically just being used with SSH, so the GUI selection is largely Irrelevan T.
  

• Create a simple user.  This was a point at which want to consult with your security team if such a thing exists. If you'll be the using this in production, it's important that this server is hardened as it would contain private keys and a  ll of the tools required to register and renew certificates. If Someone steals my lab certificate I won ' t be heartbroken.
  

• Let ER go.
  
  

• Once the installation have completed, open up a terminal in the console window and get the system ready for Remote/putty AC Cess.
  
  • Get the IP address with ifconfig
    
  • Turn on the SSH server **again, security is a issue here. Use best practices in production!
    

    Systemctl Enable sshd

    
    

    Service sshd Start

  • Turn off the firewall **see above. Use best practices in production!
    

    YaST Firewall Disable

• Log in Via PuTTY or your terminal of choice
• Install Prerequisites and get environment ready for the automation from let ' s Encrypt. In this example, I use the home folder of the user and production this would live somewhere more appropriate like opt. Several Other prerequisites (like GCC, Python, and others) 'll be installed as part of the Git install, just accept any p Rompts.

  1. Zypper–n in Git

  2. CD ~ &amp;&amp; git clone <a href= "Https://github.com/letsencrypt/letsencrypt" >https://github.com/letsencrypt/letsencrypt</a>

  3. CD Letsencrypt

  4. ./letsencrypt-auto--help

Step 2:leverage the Netscaler to act as a Web server that would provide a valid response to the Let ' s Encrypt CA.

In most automated cases, the let's Encrypt scripts would place a marker onto the webserver in some specific location as par T of the Challenge/response when requesting a certificate.

During the process, a request would be sent from the CA to the webserver to confirm, which is marker. This establishes, the person making the request owns the webserver and thereby would is authorized to issue the Reques T for a certificate.

Since We is most likely looking to cert a Netscaler Gateway we can just has the Netscaler platform itself (via a content Switching vserver) answer specific requests with specific responses in the form of this let ' s Encrypt marker. The same would hold true for any lbvserver or csvserver so we wish to cert, we just need a policy that answers let ' s ENC Rypt with the validation marker.

In this example, I'll leverage a content switching vserver that listens on port and on the same IP of my Netscaler Gatewa The validation key when a HTTP request is a sent to the same FQDN as my gateway.

• Create Response page, answers for Letsencrypt. This would be the unique marker.
  Netscaler > Appexpert > Responder > HTML Page Imports
  Just enter some temporary text to the file contents and press done.

• Netscaler > Appexpert > Responder > Action
  

• Netscaler > Appexpert > Responder > Policies
  
• Create content switching vserver on port 80 With same IP as gateway address. This is where firewall rules, routes, etc. Should be added. We are using the same IP address since we already know, the external DNS name of the website points to it. We'll just communicate on port with this example. If we wanted traffic to go through 443, we would is better-served mapping the responder policy to the gateway and instead of using in the expression, only present this responder policy when the path exactly matches the Let ' s Encrypt trusted Pat H.
  

• Bind your responder policy to this content switching server. In this example, I has the responder policy answering all requests because the expression was set to "true" which matches All requests. If you wanted to is more granular you would instead create an expression that looked for a specific path in the request (f or example).
  
  
• Visit the HTTP side of the URL you were wanting to cert (http://gateway.domain.com) and ensure so the resulting page is J UST the temporary text you entered in step 1.

Step 3:create the certificate

• in the PuTTY window on your let's Encrypt server we just really need to enter one command.  of interest is the– Email And–d parameters.  These would represent the FQDN of the site you are certing.  the e-mail address is not Used in the process but would be part of the certificate that's issued, so it should be a real address.  in the Examp Le below i ' m certing "domain.com" .  **also Note that the screenshot represents a different domain but just because I Took a screenshot from my lab, sorry for the inconsistency. **also also note that you don ' t has to do 2k keys, and the default is 4k.
  

   letsencrypt-auto certonly--manual--email [email protected]-D domain.com--rsa-key-size 2048 

  
  
  Don ' t press ENTER yet! Note First few lines.  the path with Acme-challenge would is the full path to use for a more specific responder P Olicy.
• The 4th line and the long string of letters are the custom text that we'll put into the HTML responder page. Just Copy this text to the Clipboard
• Netscaler > Appexpert>responder>html Page Imports
  1. Open the Letsencrypt HTML page, paste in the string of characters
     
• Visit http://domain.com and ensure that the response are a page with the updated string of text.
• Ok ... now press ENTER on that PuTTY window. Let ' s encypt would validate that the page presented contains the expected text and would then issue the certificate, assumin G that your responder are properly working and the response matches what let ' s Encrypt expects.
  1. Upon success, let ' s Encrypt would produce a set of files in/etc/letsencrypt/live/domain.com/. These PEMs need to be converted before they would work with the NetScaler.
     pem–the actual Server Cert
     Chain.pem–the Intermediate Certificates Required
     Fullchain.pem–the Server cert + the chain
     Privkey.pem–the private key for the server cert

Step 4:get the certs on the NetScaler

• Convert the certs to a Netscaler appropriate format.
  

  CD ~

  
  

  OpenSSL rsa-outform der-in/etc/letsencrypt/live/domain.com/privkey.pem–out ~/domain.com.server.key

  
  

  OpenSSL x509-outform der-in/etc/letsencrypt/live/domain.com/cert.pem-out ~/domain.com.server.cer

  
  

  OpenSSL x509-outform der-in/etc/letsencrypt/live/domain.com/chain.pem-out ~/domain.com.chain.cer

• Copy the certificates over to the NetScaler
  

  SCP ~/domain.com.* [Email protected]<netscalerip>:/ Nsconfig/ssl

• Install the Certificates
  Netscaler > Traffic Management > SSL > Certificates
  Install Server cert
  

• Install Chain
  

• Select the Domain.com_letsencrypt certificate and click Action, then Link and select the Domain.com_letsencryptchain certi Ficate.

You is now ready to bind the new cert to your SSL vserver or gateway! Be sure to turn off your content switching vserver either by blocking it at the firewall, or disabling the vSERVER (or bot h). You would-need to turn, this is on in, and repeat steps 3 & 4 to renew the certificate.

There is many ways to skins this cat, but I figured since I were issuing these certificates to my Netscaler Gateway anyway, I may as well use the Netscaler to play the role of the Web tier Too!

Happy certing!

Using let's Encrypt for free SSL Certs with Netscaler