Implementing HTTPS for SAS using Let’s Encrypt CA

For IT and SAS Administrators, implementing and maintaining TLS/SSL certificates continue to be a tedious and frustratingly manual process. Thankfully the team at Let’s Encrypt has created an elegant and automated solution for certificate deployment and renewal. And the best part is that it’s free!

I spent a little time implementing the ACME Protocol using the Certbot client and certificates from the the Let’s Encrypt Certificate Authority. The process was fairly simple to implement and the automatic renewal should save significant administrative time going forward.

There are a few caveats and pre-requisites to understand before embarking on your free certificate journey. The first is that you need authority for the DNS domain for which you’re attempting to create a certificate. To prove this, you must have the ability to run a webserver on port 80 on your host, which requires root access. The Certbot client will either start up a standalone webserver or you can choose to have it write a temporary file to your webroot. Because this is an ongoing automated process that will be pulling certificates from letsencrypt.org, your host requires outbound internet access to at least that site.

Given these requirements, the Let’s Encrypt Certificate Authority is likely not a good choice for large corporate environments. However, for smaller sites or in a hosted scenario where the SAS Admin may also be the Network and IT admin, the Let’s Encrypt CA could be a tremendous benefit. Here’s an overview of what I did to configure it for one of our Cached Consulting lab Mid-Tier hosts.

The first step is to familiarize yourself with the Let’s Encrypt Documentation. From there, download the Certbot client at https://certbot.eff.org. Even though SAS uses an Apache-style httpd server, I chose “Unspecified Webserver” (i.e. generic instructions) for my CentOS 7 host. From there I downloaded the certbot package:

[shayes@dev1mid1 ~]$ sudo yum install certbot

By default, the SAS WebServer runs on port 7980. I chose to allow Certbot to run a temporary standalone webserver on port 80 to perform the domain validation step. Because Let’s Encrypt limits the number of certs you are allowed to request per day, they recommend you use their Staging environment to test out your process and validate successful configuration. To do a test run I used the --dry-run flag:

[shayes@dev1mid1 ~]$ sudo certbot certonly --standalone -d dev1mid1.cachedconsulting.com --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for dev1mid1.cachedconsulting.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- The dry run was successful.

From there I executed the actual certificate request:

[shayes@dev1mid1 ~]$ sudo certbot certonly --standalone -d dev1mid1.cachedconsulting.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for dev1mid1.cachedconsulting.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/dev1mid1.cachedconsulting.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/dev1mid1.cachedconsulting.com/privkey.pem
   Your cert will expire on 2018-06-12. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

And voila! We have everything we need to (re-)configure our SAS WebServer for HTTPS.

[root@dev1mid1 dev1mid1.cachedconsulting.com]# ls -al
total 4
drwxr-xr-x+ 2 root root  93 Mar 14 17:28 .
drwxr-x---+ 3 root root  43 Mar 14 17:28 ..
lrwxrwxrwx  1 root root  53 Mar 14 17:28 cert.pem -> ../../archive/dev1mid1.cachedconsulting.com/cert1.pem
lrwxrwxrwx  1 root root  54 Mar 14 17:28 chain.pem -> ../../archive/dev1mid1.cachedconsulting.com/chain1.pem
lrwxrwxrwx  1 root root  58 Mar 14 17:28 fullchain.pem -> ../../archive/dev1mid1.cachedconsulting.com/fullchain1.pem
lrwxrwxrwx  1 root root  56 Mar 14 17:28 privkey.pem -> ../../archive/dev1mid1.cachedconsulting.com/privkey1.pem
-rw-r-xr--+ 1 root root 543 Mar 14 17:28 README
[root@dev1mid1 dev1mid1.cachedconsulting.com]# openssl x509 -noout -text -in cert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:8e:a0:15:fe:8a:18:ce:5f:90:3e:3c:df:05:70:61:25:25
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: Mar 14 16:28:54 2018 GMT
            Not After : Jun 12 16:28:54 2018 GMT
        Subject: CN=dev1mid1.cachedconsulting.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

By default the certificate files including the private key are only readable by the root user. Because the SAS WebServer runs as the SAS Installer account, I added an ACL that allowed the ‘sas’ user read and execute permissions to the directory structure and certificate files.

From here, the next steps were to follow the SAS Docs to update my SAS Mid-Tier for TLS/SSL. Here’s a shot of the Welcome to SAS 9.4 default page:

If you have not yet installed SAS, you can simply point to the files in /etc/letsencrypt/live/$domain as you proceed through the SDW to have HTTPS enabled at Configuration time.

The ACME Protocol is built to facilitate easy to use, automatically deployed certificates. As such, the Let’s Encrypt CA only issues certificates for 90 days with the expectation that sites will set a cron job or scheduled task to renew the certificate in plenty of time. Keep that final point in mind as you configure your environment!

About the author: Spencer Hayes

Leave a Reply

Your email address will not be published.Email address is required.