Let's Encrypt with Crypt::LE

It has been a while since I last posted, let alone update my infra a bit, so here's one quick entry to document it.

For the longest time I haven't enabled SSL on my blog or other HTTP sites; I used to use Comodo, then StartCom SSL. However, I got wind that StartCom (along with WoSign) will soon be distrusted by Google Chrome, et al. after some reviews of their operation. The good thing though, is that there's now a Let's Encrypt initiative which provides free SSL certificates, so I figure it is high time for me to re-integrate SSL once more.

The Let's Encrypt site recommends the CertBot script as a starting point for integration, but upon grabbing the software, it wanted to install Python stuff into my system. I don't really mind, but would rather opt for something that already uses already-installed libraries, so I looked for alternatives. Being a Perl guy, I found Crypt::LE (via ZeroSSL) as an acceptable alternative, as it can leverage my existing Perl 5.26 environment.

On the other hand, my system Perl is of a different version (5.20,) so I need to do a bit of work to integrate Crypt::LE. First off, I'd use PAR::Packer and make a binary:

$ cpanm PAR::Packer
$ cd Crypt-LE
$ pp -M Crypt::OpenSSL::Bignum -M Cpanel::JSON::XS -M IO::Socket::SSL -Ilib script/le.pl -o crypt-le

This lets me have a self-sufficient client that I can put to /usr/local, that doesn't even use the system Perl. If I had Docker on my server, I would've just pulled the ZeroSSL client, but right now I don't, so I make do :)

I can then make my cert:

# crypt-le --key account.key --email REDACTED --csr domain.csr --csr-key domain.key --crt domain.crt --generate-missing --domains www.domain.tld,domain.tld --unlink --path /my/path/to/.well-known/acme-challenge --live

And renewing my cert would just be same command above, just with a --renew <days> added. Wrap that up in a script that can be put in crontab, and I'm all set.

After installing the cert at the usual places, I can then verify their correct installation with

$ openssl s_client -showcerts -connect zakame.net:443

as well as with a proper browser, or two.

After this, I'm mulling whether to continue using Movable Type for this blog, or maybe move to other engines. Hugo seems like a good candidate.