In case you haven’t heard, in early December 2015, Let’s Encrypt entered Public Beta, meaning that anyone can get a certificate issued by the Let’s Encrypt Certificate Authority without the need for an invite. If you aren’t familiar with the Let’s Encrypt project, you should check out their site. I can’t really sum it up any better than they did already, so to quote them, “Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open”. The implications of this are pretty obvious, now every site can implement a valid certificate to ensure their communications are protected. While that is a definite positive, it is also easier than ever for an attacker to get valid certificates for their servers too. I would be lying if I said that I wasn’t a little more excited about the latter point. This will be the first in a two-post series. Part one will serve as a guide to getting a certificate from Let’s encrypt, and next time we’ll discuss getting some common attacker tools, like King Phisher, Empire, and Metasploit, to work with it.
Setting the Stage
First things first, if you are planning on using a certificate, you’ll need to have a domain established and pointing to an IP address that you control. Additionally you will need root or sudo access to spin up a web server on ports 80 and 443. Currently, Let’s Encrypt only supports fully automated certificate installations for Apache httpd, with nginx support expected soon. However, we don’t actually need to install the certificates so you don’t need to worry about installing and configuring a web server on your host. Once you have your server and domain set up you can move on to something a little more exciting.
Obtaining a Certificate
First you’ll need to install the Let’s Encrypt client. There are packaged installers for the following systems: Debian (Stretch or Sid), Arch Linux, FreeBSD, and OpenBSD. If you are using one of those systems the installation instructions can be found in the documentation. The server I performed testing with was Ubuntu so I grabbed the source from GitHub using the following command:
git clone https://github.com/letsencrypt/letsencrypt.git
Since we aren’t using an official system package, the utility we will be running is “letsencrypt-auto”, which is a wrapper for the Let’s Encrypt client that automatically configures OS dependencies. You can “cd” into the newly created “letsencrypt” directory and check out all of the options by running the script with the help flag specified:
As you can see there are several options available to obtain and install a certificate. Since we will be using the certificate with a number of tools, we don’t actually need to “install” it, so we can proceed to run the utility with the “certonly” subcommand. This will only obtain the certificate and save it on your server. It is possible to specify all of the necessary flags in the command but there also is a guided process to get you going. This is the option I chose during my first run, so that’s what we’ll be going with here as well. Start things off by running the command:
Note: If you are not running as root, you will get a sudo prompt.
After the client updates, you will see the following prompt:
Enter in an email address and continue. Next you will be prompted to accept the Terms of Service:
Upon agreeing you will be prompted to enter the domain(s) you would like to obtain a certificate for.
If all goes well you will see a success message:
When everything is all said and done you will have four new files in /etc/letsencrypt/live/<your_domain>/
Currently, certificates issued by Let’s Encrypt expire after 90 days. To renew a certificate just run “letsencrypt-auto” with the same flags and/or settings again.
That brings us to the end of part one. Stay tuned for part two, where we’ll discuss how to use your new certificate with some of our favorite offensive tools.