Configure Let's Encrypt service with Pound server

Last modified
Saturday, February 11, 2017 - 08:09

On this tutorial I will show you how to configure your Pound proxy server so it can take advantage of the awesome SSL service provided by Let's Encrypt.

Let's Encrypt is an open-source certificate authority that issues SSL certificates for free making use of the ACME protocol, making possible to obtain trusted certificates for your websites and operate under HTTPS:// with no browser warnings and securing your content of course.

The services also provides a command line tool called Certbot, that can be easily installed on any Linux OS and it will help creating the necessary steps in order to create the certificates for an specific domain/website.

In order to install Certbot on your server, follow the next steps: (make sure you have "git" installed on your system)

$sudo apt-get install git (if not previously installed)
$cd /opt
$sudo git clone https://github.com/certbot/certbot

Running the above commands will download the Certbot latest release from their git repo in the /opt folder. Then we need to stop any service that might be using port 80 on our server, since the installation type we will be performing on this tutorial is the "standalone" type described on the Cerbot documentation, there are other ways to install the certificates, it is up to your preference.
Since this tutorial is about Pound, we are assuming the daemon is already installed so we need to stop it:

$sudo service pound stop

once the service is stopped, run:

$cd /opt/certbot
$sudo ./letsencrypt-auto --text --email YOUR@EMAIL -d YOUR_DOMAIN --agree-tos --standalone certonly

by default, running the command above will generate the necessary key files (*.pem) in the following folder:

/etc/letsencrypt/live/YOUR_DOMAIN/

now, we need to create a private key file that Pound can understand, to do so run the following:

$sudo cat /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem > /etc/ssl/YOUR_DOMAIN.pem

doing so, will concatenate the privkey.pem file and the fullchain.pem file generated by Cerbot into a single file that will be stored into your ssl certificates folder, this is very important!

In order to enable your certificate we need to edit the Pound configuration file and add the entry for it:

$sudo nano /etc/pound/pound.cfg

on the HTTPS section add:

Cert    "/etc/ssl/YOUR_DOMAIN.pem"

And thats pretty much it, you can start Pound back again:

$sudo service pound start

and your domain will be secured by Let's Encrypt! Keep in mind that these certificates have an expiration period of 90 days, so you might have to manually renew using Cerbot each certificate, in order to avoid this process, you can automate it by adding a cron task that will auto renew your certificates for you. To do so, run the following commands:

$sudo nano /etc/cron.monthly/letsencrypt

and add the following:

#!/usr/bin/env bash
cd /opt/certbot
./certbot-auto renew \
--noninteractive \
--pre-hook "service pound stop" \
--post-hook "service pound start"

Here is a nice sh script you can use to register multiple domains with pound:

https://github.com/ffonaissak/letsencrypt-pound/blob/master/letsencrypt-pound.sh

Here's a complete tutorial including certificate auto renew:

https://serversforhackers.com/video/letsencrypt-for-free-easy-ssl-certificates

Enjoy!

Comments

Thanks for these instructions, they were helpful. But - on auto-renewal, I think the .pem file required by pounds needs to be recreated from the private and full chain pem files again. Got any handy tricks to automate that? Seems like something that should be built into the certbot function by now.

Submitted by Philipp on Wed, 07/19/2017 - 16:37

Permalink

The script you describe for automatic renew of the certificates may not run since it is not executable based on your guide - I think.

Regards
Philipp

... or at least Debian-inspired Linux distros such as Ubuntu.

What about FreeBSD? FreeBSD does not support (I wonder why...) letsencrypt-auto. But it allows certbot to be run in the background to renew the certificates; the problem is just that it will be configured to deal with either Apache, nginx, or haproxy (the defaults that are on the certbot pages, not to figure out where pound expects things to be. Also, I'm a bit confused at how your solution will automatically generate (or not) the required ACME directory structure for auto-validation...

Submitted by Anders on Wed, 01/10/2018 - 09:24

Permalink

Re. Automatize renewal of certificate and building the pem files
Building the pem files has to be done as root - for me at least it's not enough to run with sudo, I have to be root (use sudo su first).
Also the script in the cronjob above, starts pound again - with the old pem file. Thus, after rebuilding the pem file with the new certificates, you have to restart pound.
To be certain, I'm using a root cronjob (sudo crontab -e) calling a script every third month looking like this:

#!/usr/bin/env bash
cd /opt/certbot
# Log file
LOGFILE="certbot-renew.log"
# Print the current time
echo $(date) > $LOGFILE 2>&1
./certbot-auto renew \
--noninteractive \
--pre-hook "service pound stop" >> $LOGFILE
# Check if any certs were renewed (You could just merge them anyways without the if statement)
if grep -q 'The following certs have been renewed:' $LOGFILE; then
# cat and merge SSL certs and key for pound usage
cat /etc/letsencrypt/live/YOURDOMAIN/privkey.pem /etc/letsencrypt/live/YOURDOMAIN/fullchain.pem > /etc/ssl/YOURDOMAIN.pem
fi
# Start pound
service pound start

Add new comment

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.