My way to auto update "Let's Encrypt" certs without downtime.
It’s been a while since my last post here. This is my first post with the new platform - Hexo. It’s faster and simpler than Octopress and it’s not Ruby but nevermind…
The whole concept with the Certification Authorities is completely broken but we don’t have something better which is working. A world with fully encrypted web is a really a good idea since the whole internet traffic is monitored by governments and other private organizations. Let’s encrypt is an attempt for that. It’s a colaborative project between Linux foundation, EFF and some other organizations.
They are providing free (completely free!) certificates with 3 months of validity. After that time, the certificates can be updated again.
Signing and delivery of the certificates
Let’s encrypt is using the ACME (Automated Certificate Management Environment) protocol which defines automatically obtaining of certificates. More information about the protocol can be found at the Let’s Encrypt - How it works page.
So, let’s start the technical part
In this setup I’ll use Ubuntu 14.04 with HAProxy for load balancing and managing the traffic for all of the domains.
HAProxy will directly deliver bind the HTTPS content but we need SNI checks for the Acme client. So, it’s a bit bizzare. We will have a loop inside HAPproxy. A TCP proxy frontend which is proxying a backend from localhost to the HTTPS proxy frontend.