{"id":14273,"date":"2017-05-17T05:51:25","date_gmt":"2017-05-17T12:51:25","guid":{"rendered":"http:\/\/ainslies.net\/?p=14273"},"modified":"2022-10-09T06:10:08","modified_gmt":"2022-10-09T13:10:08","slug":"using-letsencrypt-with-stunnel","status":"publish","type":"post","link":"https:\/\/ainslies.net\/?p=14273","title":{"rendered":"Using letsencrypt with stunnel"},"content":{"rendered":"

I wanted to use letsencrypt<\/a> keys and stunnel to encrypt sessions with a valid server key. Once setup the system needed to look like a regular https website with a valid certificate. I’ll explain why I did this in a later posting.<\/p>\n

I’m not going to go into getting the original key from letsencrypt as there are too many ways to do it and letsencrypt’s certbot is already well documented.<\/p>\n

These instructions are also specific to Ubuntu 16.04 but could be modified for other Linux’s. The instructions below will also conflict with any webserver listening on port 443 (https).<\/p>\n

Setup stunnel<\/h2>\n

In all of the instructions and scripts below replace <servername> with your hostname. <servername> also needs to match you letsencrypt hostname.<\/p>\n

sudo apt-get install stunnel4\n<\/pre>\n
Edit \/etc\/default\/stunnel4 and change ENABLED=1<\/p>\n
Now create a new stunnel conf file in \/etc\/stunnel\/ with the contents below<\/p>\n
pid = \/var\/run\/stunnel.pid\ncert = \/etc\/stunnel\/stunnel.pem\n[ssh]\naccept = <servername>:443\nconnect = 127.0.0.1:80\n<\/pre>\n
If you want to connect to something other than you local webserver change the “connect = 127.0.0.1:80” line above.<\/p>\n
Now because stunnel needs the fullchain.pem and the privkey.pem in the same file we need to combine the letsencrypt files. Here’s a script ( combine_certs.sh<\/a> ) that will check the md5sums of the letsencrypt file and generate a new stunnel.pem whenever the originals change.<\/p>\n
#!\/bin\/bash\n#\n# Copyright (c) 2017 Angus Ainslie \n#\n\nIN_PATH=\"\/etc\/letsencrypt\/live\"\nCERT_NAME=$1\nOUT_PATH=$2\nPEM_NAME=$3\n\nCHAIN_SUM=`md5sum ${IN_PATH}\/${CERT_NAME}\/fullchain.pem`\nKEY_SUM=`md5sum ${IN_PATH}\/${CERT_NAME}\/privkey.pem`\n\necho \"Chain sum ${CHAIN_SUM}\"\necho \"Key sum ${KEY_SUM}\"\n\nif [ ! -e ${OUT_PATH}\/sums ]; then\n  echo ${CHAIN_SUM} > ${OUT_PATH}\/sums\n  echo ${KEY_SUM} >> ${OUT_PATH}\/sums\nfi\n\nmd5sum --status -c ${OUT_PATH}\/sums\n\nif [ $? -eq 0 ]; then\n  echo \"Keys match\"\nelse\n  echo \"Keys don't match. re-creating pem file\"\n  cat ${IN_PATH}\/${CERT_NAME}\/fullchain.pem ${IN_PATH}\/${CERT_NAME}\/privkey.pem > ${OUT_PATH}\/${PEM_NAME}\n  echo ${CHAIN_SUM} > ${OUT_PATH}\/sums\n  echo ${KEY_SUM} >> ${OUT_PATH}\/sums\nfi\n<\/pre>\n
To generate the stunnel.pem file run combine_certs.sh like this<\/p>\n
sudo combine_certs.sh <servername> \/etc\/stunnel stunnel.pem\n<\/pre>\n
Because the letsencrypt certificates are short lived their install process adds a cron job that will renew any keys expiring in 30 days or less. So we need to rerun the combine script to keep our stunnel.pem current. Put this crontab<\/a> in \/etc\/cron.d<\/p>\n
# Copyright (c) 2017 Angus Ainslie <angus at akkea.ca>\n#\nSHELL=\/bin\/bash\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n5 *\/12 * * * root test -x \/usr\/local\/bin\/combine_certs.sh && combine_certs.sh  \/etc\/stunnel stunnel.pem\n<\/pre>\n
Now restart stunnel<\/p>\n
systemctl restart stunnel4\n<\/pre>\n
You will now have a fully functional stunnel listener that will function as an https server.<\/p>\n","protected":false},"excerpt":{"rendered":"
I wanted to use letsencrypt keys and stunnel to encrypt sessions with a valid server key. Once setup the system needed to look like a regular https website with a valid certificate. I’ll explain why I did this in a later … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14273","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/ainslies.net\/index.php?rest_route=\/wp\/v2\/posts\/14273","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ainslies.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ainslies.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ainslies.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ainslies.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14273"}],"version-history":[{"count":10,"href":"https:\/\/ainslies.net\/index.php?rest_route=\/wp\/v2\/posts\/14273\/revisions"}],"predecessor-version":[{"id":14356,"href":"https:\/\/ainslies.net\/index.php?rest_route=\/wp\/v2\/posts\/14273\/revisions\/14356"}],"wp:attachment":[{"href":"https:\/\/ainslies.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14273"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ainslies.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14273"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ainslies.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14273"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}