HowTo: Let’s Encrypt SSL with Varnish and Pound on Ubuntu Server

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG). The key principles behind Let’s Encrypt are:

  • Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
  • Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
  • Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
  • Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
  • Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
  • Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.

After this tutorial, we will have our websites served via encrypted connection with Let’s Encrypt SSL on a server running varnish. Because varnish can’t handle SSL requests, we need pound. Pound is a reverse proxy similar to Varnish except it’s focus is more on load balancing – directing traffic to the right places. Lets assume that we already have apache2 and varnish setup up and running. In that setup, Apache2 will bind to port 8080, and varnish to port 80. Now we only need to install and configure pound, and then to get letsencrypt from git and run it. Steps for all that are explaned below. 1) Instalation and configuration of Pound To install pound we need to run next command:

sudo apt-get install pound

And if we are running old Ubuntu 12.04 that has pound version 2.5, we need to add a PPA that has newer version of pound (v.2.6) that has SSL SNI support. To do this, we need to enter next two commands: First add a PPA:

sudo add-apt-repository ppa:ppa:uwej711/pound sudo apt-get update

And then install pound like it is explaned above.   1.1) To configure Pound we need to edit file /etc/pound/pound.cfg:

sudo nano /etc/pound/pound.cfg

In that file, we need to edit ListenHTTPS part to look like this:

ListenHTTPS HeadRemove “X-Forwarded-Proto” AddHeader “X-Forwarded-Proto: https” Address 0.0.0.0 Port    443 Service BackEnd Address 127.0.0.1 Port    80 End End End

NOTE:  Insted of 0.0.0.0 for Address, we need to put our server external IP address. 2) Installing and using Let’s Encrypt SSL: First thing to do is to get letsencrypt from git:

git clone https://github.com/letsencrypt/letsencrypt

Then we enter that letsencrypt directory and create few directories in there:

cd letsencrypt mkdir -p etc lib log

Before we start letsencrypt command, we need to stop varnish and pound so that ports 80 and 443 are free:

sudo service pound stop && sudo service varnish stop

Next step is to create a SSL for our web site with next command:

./letsencrypt-auto certonly –verbose –config-dir etc/ –logs-dir log/ –work-dir lib/ -d example.com -d www.example.com

When this is finished, we will have SSL certificates for example.com website, and they are located in /home/$USER/letsencrypt/etc/live/example.com/ If we have more then one website on the server, we need to run above command for every web site that we have.  And SSL certificates will be located in /home/$USER/letsencrypt/etc/live/WEBSITE/ Pound requires the private key to be in the same file as the certificate and the chain, so we also need to do this while we are still in the letsencrypt directory:  

cd etc/live/example.com/ cat privkey.pem fullchain.pem > private_fullchain.pem

We do this for every web site that we have created SSL certificates for. Next step is to tell Pound to use this new SSL certificates by editing file /etc/pound/pound.cfg :

sudo nano /etc/pound/pound.cfg

In that file, after “Port    443” we need to copy this:

Cert “/home/$USER/letsencrypt/etc/live/example.com/private_fullchain.pem”

We need to add lines like the one above, for every web site that we have created SSL certificates. 3) Now we need to restart apache2, varnish and pound for this to work:

sudo service apache2 restart && sudo service pound restart && sudo service varnish restart

That’s all folks. 🙂 Now our websites will be served via encrypted connection with Let’s Encrypt using apache2+varnish+pound setup.