This post explains how to set up a mechanism to automatically renew SSL certificates (offering the same functionality as Let’s Encrypt). The tool was developed by Inria’s IT department (DSI), which is also responsible for the initialization of the first certificate.

Tool installation

There is no known RPM/APT package for this tool. The easiest way to install it is to clone it from a server where it’s already installed.

Client installation

You will need root access on both the already installed server (here: dream.inria.fr) and the new server (here: myserv.inria.fr):

ssh root@myserv.inria.fr
mkdir -p /opt/inriatools/certificates
rsync -av dream.inria.fr:/opt/inriatools/certificates/. /opt/inriatools/certificates/.

Client configuration

The /opt/inriatools/certificats/client/etc/acme_secti.conf file contains:

## Mandatory
cert_server=certs-sam.inria.fr
# oooo reload_cmd='systemctl reload WHATEVER'
reload_cmd='systemctl reload nginx'

• The cert_server line specifies the SSL certificate database (managed by the DSI).
• The reload_cmd line contains the command to be run when the certificate changes (if multiple commands are needed, create a bash script in /opt/inriatools/client/bin).

Certificates container

The certificates will be store in /etc/dsissl

mkdir -p  /etc/dsissl/autoacme_secti_certs-clt.timer
chmod g+s /etc/dsissl/auto

DO NOT REMOVE OR MODIFY THE FILES CREATED IN /etc/dsissl/auto; doing so will break the renewal process.

Service configuration

Again, clone the files from the reference server:

cd /lib/systemd/system
rsync 'dream.inria.fr://lib/systemd/system/acme_*' .
systemctl start acme_secti_certs-clt.timer
systemctl enable acme_secti_certs-clt.timer

First SSL Certificate

Contact the DSI helpdesk to request the first certificate (as a user, you don’t have the rights to store certificates in the DSI database), through helpdesk.inria.fr.

Remarks:

• The DSI team will need access to your server. You must add their public SSH keys to /root/.ssh/authorized_keys.
• To get these public keys, you can use the /usr/bin/sss_ssh_authorizedkeys loginname tool on a DSI-installed server (e.g., srv-dream.inria.fr).

Using the Certificates

Nginx SSL Configuration

In your Nginx SSL configuration file, add lines similar to:

ssl_certificate /etc/dsissl/auto/myserv.inria.fr/fullchain.pem;
ssl_certificate_key /etc/dsissl/auto/myserv.inria.fr/privkey.pem;

Apache2 SSL Configuration

In your Apache2 SSL configuration file, add lines similar to:

SSLCertificateFile /etc/dsissl/auto/dream.inria.fr/fullchain.pem
SSLCertificateKeyFile /etc/dsissl/auto/dream.inria.fr/privkey.pem

That’s all, folks!

Many thanks to this ACME package!

For More Information

• https://hal.science/hal-04893949v1/document
• https://services.renater.fr/tcs/acme