Automatic Certification with Let's Encrypt

It is possible to set up GreenRADIUS to automatically obtain and install certificates from Let's Encrypt. These are the steps to obtain and install a certificate and configure your GreenRADIUS to automatically renew its certificate from Let's Encrypt.

Prerequisites

  • GreenRADIUS v4.3.5.5 or later
  • A valid domain name with the A record pointing at GreenRADIUS
  • GreenRADIUS must be connected to the Internet with the ability to make outgoing connections on port 443 and accept incoming connections from any IP address on port 80. (Note: In order to enable incoming connections on the internal UFW firewall (if enabled), run sudo ufw allow 80 in the GreenRADIUS command line.)

Steps

  1. Log into your GreenRADIUS instance via SSH
  2. sudo su
  3. snap install core
  4. snap refresh core
  5. snap install --classic certbot
  6. ln -s /snap/bin/certbot /usr/bin/certbot
  7. certbot certonly --standalone
  8. Follow the onscreen instructions. After this, your certificate files will be placed in a directory at /etc/letsencrypt/live/<your site name>/. This contents of this folder will be updated as needed by Certbot, so the certificate here should always be fresh.
  9. Download the automatic installation script from this link and unzip it. You should now have a file called install-grva.sh.
  10. Move install-grva.sh to /etc/letsencrypt/renewal-hooks/deploy.
  11. Run chmod +x /etc/letsencrypt/renewal-hooks/deploy/install-grva.sh.
  12. Run certbot renew --force-renewal and verify that no errors occurred.

You should now find that the new certificates have been installed on GreenRADIUS. Certbot will periodically refresh the certificates; there may be a few seconds where GreenRADIUS is unavailable when this occurs (approximately once per month).

Updated 2021-11-01
© 2022 Green Rocket Security Inc. All rights reserved.