Using Let's Encrypt SSL certificate with Pound. :: Let's Encrypt certificates have a particular advantage over its competitors - it can be #automatically renewed. When you manage a lot of servers, this can be a serious time-saving feature.

Pound is a very lightweight reverse-proxy software, which can also act as a SSL endpoint. Means that it will accept the encrypted (HTTPS) traffic, decrypt it, and then forward the result to the webserver at the backend. It's quite helpful to offload this from the webserver.

Here's how to do both (auto-renew Let's Encrypt SSL certificate on Pound), starting from a configuration snippet for /etc/pound/pound.cfg :

=========
ListenHTTPS
Address 0.0.0.0
Port 443
AddHeader ""X-Forwarded-Proto: https""
HeadRemove ""X-Forwarded-Proto""
HeadRemove ""X-Forwarded-For""

Cert "/etc/letsencrypt/live/mywebsite.com/mywebsite.pem"

### avoid poodle security attack
Disable SSLv3
Disable SSLv2

### hardening SSL with strong ciphers, disabling weak ones
Ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:-RC4:EECDH+aRSA+RC4:EECDH+RC4:EDH+aRSA+RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:RC4+SHA"

SSLAllowClientRenegotiation 0
SSLHonorCipherOrder 1

End
========

That config should be able to score (at least an) A from Qualys SSL Labs' website : https://www.ssllabs.com/ssltest/

Here's the script to do the auto-renewal, don't forget to set the cronjob so this is run twice every day on off-peak times :

=========
#!/bin/bash

# renew certificate
/root/tools/certbot/certbot-auto renew

# merge private key with certificate
# to make it readable by Pound

cp /etc/letsencrypt/live/mywebsite.com/privkey.pem /etc/letsencrypt/live/mywebsite.com/mywebsite.pem

cat /etc/letsencrypt/live/mywebsite.com/cert.pem >> /etc/letsencrypt/live/mywebsite.com/mywebsite.pem

# restart Pound
/etc/init.d/pound restart
=========

Have fun with these !

Credits:

(1) Eko Juniarto for suggesting to restart Pound after the renewal process.

(2) Fahri Reza for informing that Let's Encrypt advocates running auto-renewal not once - but twice a day. Eg: in case of an emergency, etc´╗┐
Photo
Shared publiclyView activity