Setting up Sympl with LetsEncrypt DNS-based SSL certificates, using Dehydrated

Based heavily on the SSL setup in my forgejo instructions (coming soon), these instructions should setup Sympl.io with DNS-based SSL certificates. This is useful for servers behind a firewall, such as a corporate network or homelab, where LetsEncrypt can’t do http-based domain validation.

Sympl doesn’t currently support DNS-based domain validation for SSL out of the box, so I’m using Dehydrated to validate and generate the SSL certificates, which are then manually installed into Sympl afterwards.

Generating SSL certificates

First setup Dehydrated to fetch SSL certificates with DNS validation using MythicBeasts’ guide, but read this whole section first as we skip some of their steps.

White it should be simple for dehydrated to handle both certificate generation, and the reloading of the apache2 service through sympl, we need another library to enable having multiple hook scripts/ MythicBeasts’s documentation, above, configures the HOOK ENV variable to point to their script. However, we need both our reloading scripts and their DNS script.

1. Follow their guide up until the HOOK and HOOK_CHAIN setup steps
2. Skip the HOOK and HOOK_CHAIN setup in their documentation (you do need to setup CHALLENGETYPE as per their guide).
3. Run the script below
4. Then continue their docs.

Setup the ability to stack multiple hooks in dehydrated

cd /etc/dehydrated
git clone https://github.com/mythic-beasts/dehydrated-code-rack.git

for d in common clean-challenge deploy-challenge; do
    mkdir -p /etc/dehydrated/hooks/$d
    ln -s /etc/dehydrated/dehydrated-mythic-dns01/$d/mythic-dns01 /etc/dehydrated/hooks/$d
done

mkdir -p /etc/dehydrated/hooks/deploy-cert

ln -s /etc/dehydrated/dehydrated-code-rack/code-rack /etc/dehydrated/hooks/code-rack
ln -s /etc/dehydrated/dehydrated-code-rack/code-rack.sh /etc/dehydrated/conf.d/code-rack.sh

cd /etc/dehydrated

Also, because the current version of sympl-ssl only supports RSA private keys, we need to configure dehydrated to only generate RSA keys.

cat > /etc/dehydrated/conf.d/sympl-ssl.sh <<EOF
# sympl-ssl doesn't support `KEY_ALGO=secp384r1`
# Supported: rsa, prime256v1 and secp384r1
# https://github.com/dehydrated-io/dehydrated/blob/master/docs/examples/config
KEY_ALGO=rsa
EOF

You can test certificate generation works at this point by running dehydrated -c.

Automate SSL certificate installation into Sympl

Once you’ve got certificates being correctly issues with DNS-based validation, it’s time to move on to integrating them into Sympl.

We’ll setup sympl-ssl to install the certificate manually upon renewal

cat > /etc/dehydrated/hooks/deploy-cert/sympl <<EOF
#!/bin/sh
echo 'false' > /srv/\$DOMAIN/config/ssl-provider
mkdir -p /srv/\$DOMAIN/config/ssl/sets/dehydrated
cat "\${CERTFILE}" > /srv/\$DOMAIN/config/ssl/sets/dehydrated/ssl.crt
cat "\${CHAINFILE}" > /srv/\$DOMAIN/config/ssl/sets/dehydrated/ssl.bundle
cat "\${KEYFILE}" > /srv/\$DOMAIN/config/ssl/sets/dehydrated/ssl.key
cat "\${FULLCHAINFILE}" "\${KEYFILE}" > /srv/\$DOMAIN/config/ssl/sets/dehydrated/ssl.combined
sympl-ssl \$DOMAIN --verbose --select dehydrated
EOF

chmod 0700 /etc/dehydrated/hooks/deploy-cert/sympl

You can test this deployment script works by forcefully renewing the certificates (though bear in mind LetsEncrypt rate limits you if you do this a lot) with dehydrated -c -x (where -x is force renew). Change your config to use the Staging LetsEncrypt server if you are testing your deployment scripts.