Gandi and Let's Encrypt

Gandi is a sponsor of Let's Encrypt, a free, automated, and open Certificate Authority.

This article will show you how to use LE's certificates with Gandi products.

Simple Hosting

You can use the letsencrypt-gandi plugin for certbot to easily obtain and install Let's Encrypt certificates for Simple Hosting.

http://github.com/Gandi/letsencrypt-gandi

The plugin is currently compatible with PHP and Ruby instances. Python and Node.js instance users can use it by creating a special route in their application.

Server

You can create and use LE certificates on a Gandi Server like on any server.

You can either follow the instructions provided by Let's Encrypt or the tutorial below.

Web Accelerator

You can easily install LE certificates on the Web Accelerator, although there is currently no automated method to obtain them using the product.

You can follow the tutorial below to obtain the LE certificates with a Server and then to easily add them to your Web Accelerator.

Domain names and DNS

You don't need to change anything to your domain name settings to use a TLS/SSL certificate. In most cases, you won't need to change your DNS settings either.

In any case, the tutorial below covers all you'd need to know to register a domain name and configure the DNS settings to get things ready for obtaining a certificate from Let's Encrypt.

SSL Certificates

You can also purchase SSL certificates from Gandi, using other validation methods such as email, DNS or manual validation. Every new domain name also comes with a free SSL certificate.

Certificates obtained with Let's Encrypt are comparable to the Standard SSL certiticate delivered by Gandi. Beyond the validation methods, the main differences lie in the validity period (3 months for LE versus 12 months or more for Gandi) and the speed of delivery (immediate for LE versus up to a few hours for Gandi due to the validation requirements).

Gandi also offers other types of certificates, including wildcard, Pro and Business offerings with green bar, transaction insurance and other features.

Tutorial

This tutorial provides a rather complete walkthrough of the whole process of getting certificates from Let's Encrypt to work with Gandi products, from domain name purchase, to obtaining the certificate, to using it on either a Server, a Simple Hosting instance or a Web Accelerator.

You can skip the sections that don't apply to your use-case and use the links to dive deeper into subjects where you need to get more information.

Requirements

1. A Gandi account

You can create a free Gandi account on our website: https://www.gandi.net/contact/create

2. Gandi CLI, but the Gandi website is fine too

This tutorial uses Gandi CLI commands in the examples but you can perform the same functions on the website. http://cli.gandi.net

You can generate your production platfform API here: https://www.gandi.net/admin/api_key

3. Credits in your prepaid wallet

Many of the operations in the examples are billable, such as domain, server, instance and web accelerator purchases.

The easiest way to manage this is using your prepaid account, as it'll allow you to purchase any type of product directly. https://www.gandi.net/prepaid

Instructions

1. Get a domain name from the command line

You can find and buy domain names right from the command line with Gandi CLI. You'll run a simple wizard that will help you purchase your domain name.

You can also use command line options with Gandi CLI that enable you to execute whole, but in this tutorial they're only used when absolutely necessary.

$ gandi domain create
> Domain: example.com      # enter the domain name here
> example.com is available
> Duration [1] : 1         # enter the duration in years

You'll be ready to move on to the next step as soon as you're the proud owner of your new domain.

2. Create a Server and get its IP address

As previously explained, Let's Encrypt is currently designed to deliver certificates directly to the web servers that respond to the domains they cover.

You can do this in a few minutes by creating a simple server running a system supported by Let's Encrypt's tool. Let's call it “letsencrypt”.

$ gandi vm create --hostname letsencrypt --image "Ubuntu 14.04 64 bits LTS (HVM)" --ip-version 4
$ gandi vm info
...
ip4           : 123.456.7.89
ip6           : 2001:xxxx:xxxx:xxxx
...

3. Create a DNS record for each domain in the certificate

You'll need to create DNS records for the domains you want to cover in your certificate so that Let's Encrypt's servers can use the addresses to perform the automatic validation.

A good way to do this is to create A and AAAA type records for example.com and www.example.com, and point them to the server's IP addresses (IPV4 and IPV6, respectively).

$ gandi record create example.com --name "@" --type A --value 123.456.7.89
$ gandi record create example.com --name "www" --type A --value 123.456.7.89
$ gandi record create example.com --name "@" --type AAAA --value 2001:xxxx:xxxx:xxxx
$ gandi record create example.com --name "www" --type AAAA --value 2001:xxxx:xxxx:xxxx

You'll have to wait for the record changes to be published and picked up by other DNS servers before you can request your certificates from Let's Encrypt.

You can ping one of the addresses periodically to see if your own connection has picked up the change, as a rough indicator.

$ ping example.com

4. Login to your server with SSH

$ gandi vm ssh letsencrypt

Make sure you have git and wget installed. On the Ubuntu system used in the example:

me@letsencrypt # sudo apt-get update
me@letsencrypt # sudo apt-get install -y git wget

5. Install //certbot// and get the certificates

Download and install certbot and run the tool to be guided through the steps. Some Linux distributions include a pre-packaged version of the tool. If you're cloning certbot's source code repository directly from GitHub, you can use these commands:

me@letsencrypt # git clone https://github.com/certbot/certbot.git certbot
me@letsencrypt # cd certbot
me@letsencrypt # ./certbot-auto

Aside from selecting the domains covered by the certified, you'll have 3 configuration options: automatic configuration for Apache or Nginx, automatic download with a temporary web server or manual configuration with a “webroot” folder you specify.

To simply obtain the certificates without installing or configuring anything yourself, you can opt for the temporary webserver mode.

The tool will take care of the whole validation process and download the certificates to the server.

The other two modes are more useful if you intend to use the certificates on that very same server.

Take a look at certbot's documentation if you have further questions about this process.

6. Download the certificates to your computer and add to Gandi

Gandi provides a Certificate Store service that makes it easy for you to store, retrieve and use certificates with Gandi products such as Simple Hosting and the Web Accelerator.

We'll copy the certificate files obtained on the server to our local computer, then upload them to Certificate Store.

$ scp -r root@123.456.7.89:/etc/letsencrypt/live/example.com .
$ gandi certstore create --pk example.com/privkey.pem --crt example.com/cert.pem

You can also delete the temporary server you used to obtain the certificate, if you don't plan to use it.

$ gandi vm delete letsencrypt

7. Use the certificate with a Simple Hosting instance

Simple Hosting is an easy-to-use and scalable hosting service for web sites and applications. You can choose the right size for your instance, along with your preferred language, database technology and deployment workflow. A size M instance or larger is required to use SSL with Simple Hosting.

You easily can host a secure web site or web application on Simple Hosting using the certificate you got from Let's Encrypt.

In this example, we'll create an instance that supports SSL and then we'll associate both the certificate and one of the addresses with it.

$ gandi paas create mysecuresite --size m --ssl 
$ gandi vhost create --vhost "www.example.com" --alter-zone --ssl --pk example.com/privkey.pem

Your secure web site should now be available at https://www.example.com.

8. Use the certificate with a Web Accelerator

A Web Accelerator is a load balancer bundled with an HTTP caching service. It's an ultra-performant tool that distributes incoming requests across up to 16 servers and, on top of that, it saves and delivers assets from cache (html, js, css, images) so that your servers don't have to.

You can easily associate one of your domains with a Web Accelerator and use the certificates obtained from Let's Encrypt to secure a scalable web application or service.

$ gandi webacc create --ssl-enable --vhost example.com --zone-alter --ssl --pk example.com/privkey.pem

Your fast and secure web application is now available at https://example.com.

Last modified: 08/05/2016 at 23:58 by Alexandre L. (Gandi)