Issue TLS Certificates using IONOS Cloud Certbot Plugin

16 min

transport layer security(tls), is a pivotal security protocol that ensures the encryption of data transmitted between web browsers like chrome, firefox, and web servers employing tls certificates for all hosted content and applications is imperative it not only safeguards sensitive information but also fosters trust among users by guaranteeing secure communication channels info to obtain a let’s encrypt certificate for your domain, verification of ownership is required this can be achieved through various methods detailed in the let’s encrypt documentation https //letsencrypt org/docs/challenge types/ one commonly used method is the dns 01 challenge, which necessitates demonstrating control over the domain's dns by generating a specific value in a txt record utilizing the certbot plugin facilitates the certificate issuance process by managing txt records automatically, handling tasks such as creation, removal, renewal, and revocation further details on this process can be found in the certbot documentation https //eff certbot readthedocs io/en/stable for more information on cloud dns certbot plugin, see cloud dns certbot github https //github com/ionos cloud/certbot dns ionos cloud target audience this tutorial is intended to help both developers and technical decision makers what you will learn this tutorial will guide you on how to install and configure a simple web server, create an a record for that web server using cloud dns api https //api ionos com/docs/dns/v1/ , and create an tls certificate for your web server using cloud dns certbot https //docs ionos com/cloud/tutorials/network services/cloud dns/certbot the steps we will follow are reserve an ipv4 in your setup set up a web server on dedicated core server in create an a record for your web server for information on common record types, see create records of other types create an tls certificate for your web server using certbot plugin add tls certificate to your web server configuration test your tls certificate before you begin ensure you have the following an account if you do not have an account, you can create one by visiting the website a primary zone with dns if you do not have a primary zone, you can create one using the dns api for more information, see create a primary zone using dns api we will refer to this primary zone and primary zone name as \<your primary zone> and \<your primary zone name> , respectively make sure to use your own \<zone id> and \<your server ip> along with your \<authorization token> procedure step 1 reserve an ipv4 address in to reserve an ipv4 address in , follow these steps in the dcd , go to menu > network services > ip management in ip management , click reserve ips , and a new pop up window appears enter the following information name enter a suitable name number of ips select the number of ip addresses to be reserved region select a region that is the same as the region of your dedicated core server click reserve ips to reserve the ip addresses and confirm the reservation by selecting ok exit the ip management window and return to the workspace expected result the ipv4 address is reserved step 2 set up a dedicated core server in note the user who creates the server has full root or administrator access rights a server, once provisioned, retains all its settings (resources, drive allocation, password, and so on), even after server restart at the operating system level the server will only be removed from your virtual data center once you delete it in the dcd create a dedicated core server create a dedicated core server and configure the server in the settings tab by following the steps in create a dedicated core server https //docs ionos com/cloud/compute services/compute engine/how tos/set up dedicated core#create a dedicated core server dedicated core server network settings in the dcd https //docs ionos com/cloud/set up ionos cloud/data center designer > inspector pane on the right, configure the following network details in the network tab 1 name choose a name unique to this virtual data center (vdc) https //docs ionos com/support/general information/glossary of terms#virtual data center vdc 2 mac it is automatically assigned during the vm creation 3 lan select the lan connection that is connected to the internet by default it is lan 1 4 firewall by default, the firewall is disabled to enable firewall rules, make sure that incoming and outgoing traffic is allowed on port 25 for udp and tcp 5 in the ipv4 configuration, click add ip and select the same ip address that you used to create an a record expected result the network settings for a dedicated core server are configured dedicated core server storage settings warning the storage type cannot be changed after provisioning in the dcd https //docs ionos com/cloud/set up ionos cloud/data center designer > inspector pane on the right, configure the following storage details in the storage tab 1 click ssd and a new pop up window create new attached storage appears 2 configure the following storage details name enter a name that is unique within your vdc availability zone by default, the value is set to "auto" size in gb we recommend using 20 for the storage size performance select "standard" image you can select one of images or snapshots, or use your own for this tutorial, we will use an ubuntu server image from to make the same choice, select ubuntu 22 04 server cloudimg amd64 under images password create a password for the "root" user of the server you will need this password to ssh and make changes ssh keys select an ssh key stored in the ssh key manager ad hoc ssh key if you have not created an ssh key, copy and paste the public part of your ssh key into this field cloud init user data to install the nginx web server, certbot, and python3 pip tools, use the following cloud init user data #cloud config packages \ nginx \ certbot \ python3 pip runcmd \ pip3 install certbot dns ionos cloud boot from device select this checkbox to make the ssd drive bootable 3 click create ssd storage to create the ssd storage expected result the storage settings for a dedicated core server are configured provision changes and start the dedicated core server 1 select the newly created dedicated core server 2 from the settings tab in the inspector pane, select power > start 3 click provision changes in the lower right corner and click provision now expected result the dedicated core server is provisioned and started next steps after your changes are provisioned and the server is started, select your dedicated core server, click the network tab in the inspector pane, and copy one of the ipv4 addresses expected result a dedicated core server is set up and started along with the configuration of settings , network , and storage setup step 3 create an a record for your web server to create an a record for your email server, follow these steps prerequisite make sure to use your own \<zone id> and \<your server ip> along with your \<authorization token> info we already own the primary zone demo ionos cloud and will use it for this tutorial previously, we created a primary zone demo ionos cloud using the ionos ` cloud dns api https //api ionos com/docs/dns/v1/ for more information on how to create a primary zone using ionos cloud dns api https //api ionos com/docs/dns/v1/ , see create a dns zone https //docs ionos com/cloud/network services/cloud dns/api how tos/create primary zone curl location 'https //dns de fra ionos com/zones/\<zone id>/records' \\ \ header 'content type application/json' \\ \ header 'authorization bearer \<authorization token>' \\ \ data '{ "properties" { "name" "", "type" "a", "content" "\<your server ip>", "ttl" 60, "priority" 0, "enabled" true } }' expected result the a record for your web server is created step 4 create a tls certificate for your web server using certbot plugin create a credentials ini file containing the api token this file must contain ionos cloud dns token key with the value of the access token vi credentials ini and add the following content dns ionos cloud token=\<your ionos cloud api token> save and exit the file restrict access to the credentials ini file chmod 600 credentials ini create an tls certificate for your web server using the certbot plugin certbot certonly \\ \ authenticator dns ionos cloud \\ \ dns ionos cloud credentials /path/to/credentials ini \\ \ dns ionos cloud propagation seconds 60 \\ \ agree tos \\ \ rsa key size 4096 \\ d '\<your primary zone name>' \\ d ' \<your primary zone name>' flag description authenticator dns ionos cloud specifies the authenticator plugin to be used dns ionos cloud credentials specifies the path to the credentials ini file dns ionos cloud propagation seconds specifies the time to wait for dns propagation agree tos agrees to the terms of service rsa key size specifies the size of the rsa key d specifies the domain name for which the certificate is issued provide the previously created zone name when prompted, enter the email address for urgent renewals and security notices the certbot plugin will automatically create a txt record in your primary zone to verify the domain ownership the certbot plugin will issue the tls certificate for your web server on successful issuance, you will see the following message successfully received certificate certificate is saved at /etc/letsencrypt/live/\<your primary zone>/fullchain pem key is saved at /etc/letsencrypt/live/\<your primary zone>/privkey pem this certificate expires on \<expiration date> these files will be updated when the certificate renews note tls certificate and key will be created in /etc/letsencrypt/live/\<your primary zone>/ folder for the purpose of this tutorial we used primary zone demo ionos cloud , therefore tls certificate and key are created in /etc/letsencrypt/live/demo ionos cloud/ directory expected result the tls certificate for your web server is issued using the certbot plugin step 5 add tls certificate to your web server configuration add the tls certificate to your web server configuration by editing the nginx configuration file vi /etc/nginx/sites available/default at the beginning of /etc/nginx/sites available/default file, uncomment the following lines listen 443 ssl default server; listen \[ ] 443 ssl default server; add the following lines to the bottom of the server block ssl certificate /etc/letsencrypt/live/\<your primary zone>/fullchain pem; ssl certificate key /etc/letsencrypt/live/\<your primary zone>/privkey pem; your /etc/nginx/sites available/default file should look like this ## \# you should look at the following url's in order to grasp a solid understanding \# of nginx configuration files in order to fully unleash the power of nginx \# https //www nginx com/resources/wiki/start/ \# https //www nginx com/resources/wiki/start/topics/tutorials/config pitfalls/ \# https //wiki debian org/nginx/directorystructure \# \# in most cases, administrators will remove this file from sites enabled/ and \# leave it as reference inside of sites available where it will continue to be \# updated by the nginx packaging team \# \# this file will automatically load configuration files provided by other \# applications, such as drupal or wordpress these applications will be made \# available underneath a path with that package name, such as /drupal8 \# \# please see /usr/share/doc/nginx doc/examples/ for more detailed examples \## \# default server configuration \# server { 	listen 80 default server; 	listen \[ ] 80 default server; 	\# ssl configuration 	\# 	 listen 443 ssl default server; 	 listen \[ ] 443 ssl default server; 	\# 	\# note you should disable gzip for ssl traffic 	\# see https //bugs debian org/773332 	\# 	\# read up on ssl ciphers to ensure a secure configuration 	\# see https //bugs debian org/765782 	\# 	\# self signed certs generated by the ssl cert package 	\# don't use them in a production server! 	\# 	\# include snippets/snakeoil conf; 	root /var/www/html; 	\# add index php to the list if you are using php 	index index html index htm index nginx debian html; 	server name ; 	location / { 	 \# first attempt to serve request as file, then 	 \# as directory, then fall back to displaying a 404 	 try files $uri $uri/ =404; 	} 	\# pass php scripts to fastcgi server 	\# 	\#location \\ php$ { 	\# include snippets/fastcgi php conf; 	\# 	\# # with php fpm (or other unix sockets) 	\# fastcgi pass unix /run/php/php7 4 fpm sock; 	\# # with php cgi (or other tcp sockets) 	\# fastcgi pass 127 0 0 1 9000; 	\#} 	\# deny access to htaccess files, if apache's document root 	\# concurs with nginx's one 	\# 	\#location /\\ ht { 	\# deny all; 	\#} 	ssl certificate /etc/letsencrypt/live/\<your primary zone>/fullchain pem; 	ssl certificate key /etc/letsencrypt/live/\<your primary zone>/privkey pem; } \# virtual host configuration for example com \# \# you can move that to a different file under sites available/ and symlink that \# to sites enabled/ to enable it \# \#server { \# listen 80; \# listen \[ ] 80; \# \# server name example com; \# \# root /var/www/example com; \# index index html; \# \# location / { \# try files $uri $uri/ =404; \# } \#} save and exit the file restart the nginx service systemctl restart nginx service verify the nginx service status systemctl status nginx service expected result the tls certificate is added to your web server configuration step 6 test your tls certificate to test your tls certificate, open a web browser and enter the url https //\<your primary zone name> expected result the tls certificate is successfully installed, and your web server is secure step 7 renew your tls certificate let's encrypt certificates are valid for 90 days to manually renew your tls certificate using the certbot plugin, you can do it manually by issuing the following command certbot renew to automate the renewal process, you can set up a cron job to run the renewal command automatically for more information on how to set up automated renewals, see the certbot documentation https //eff certbot readthedocs io/en/stable/using html#automated renewals page expected result your tls certificate is renewed successfully final result by following this tutorial, you have successfully set up a secure web server with a tls certificate issued using the certbot plugin your web server is now protected with https, ensuring encrypted communication for your users conclusion this tutorial demonstrated how to securely configure a web server and issue a tls certificate using the certbot plugin you are now equipped to protect your web applications with automated certificate management and https encryption