Let’s Encrypt on EZproxy

EZproxy has an internal SSL certificate management system that requires copy/paste into their admin panel. I dislike the process because it requires sending a private key over the ‘net – perhaps insecurely the first time!

Since the free certificates from expire every 90 days, and are automatically renewed every 60 days (using the standard setup), it would be too much hassle to manually update EZproxy that often. I’ve been able to automate the whole process via symbolic links (aka symlinks).

These instruction assume a Linux server. Other OS’s should be able to use a similar method.

You will need a webserver running on the same box in order install certificates. I do not include instructions for getting the certificates or setting up renewal – there are many excellent tutorals online already, and/or see the certbot documentation.

Once you have the location of your certificates (as the setup will tell you), here’s how to link them in to EZproxy.

Linking Ezproxy

Go to your EZprozy installation folder, then go to the “ssl” subfolder (by deafult, “/usr/local/ezproxy/ssl/”).

Check the numbers of any existing certificates in that folder. Use the next available number. In my example, there were already two existing certificates, so I used “3”.

Create a “00000003.cnf” file with the following content (or similar):

#created 2018-09-24 01:45:00
# symlink to LetsEncrypt certificate files that get updated...
#

Then create symlinks to the newly installed certificate:

ln -s /etc/letsencrypt/live/your--cert-name/privkey.pem 00000003.key
ln -s /etc/letsencrypt/live/your--cert-name/cert.pem 00000003.crt
ln -s /etc/letsencrypt/live/your--cert-name/chain.pem 00000003.ca

Replace “your–cert-name” with the cert-name you specified during setup with certbot (usually you domain name). Note that the setup routine wil generally tell you where the “fullchain.pem” file is located. You can’t use that file with EZproxy, but there are “.crt” and “.ca” files in that same directory that work just fine.

Activating

The EZprozy admin control panel will say this certificate is “damaged,” and will not allow you to activate or view it. Se we edit the file named “active” in the above “ssl” folder. Change the number in that file to match your certificate number above, omitting the leading zeros (“0”).

Restart EZprozy. Clear/reload your browser and the new certificate will be used.

As the Let’s Encrypt certificates are renewed every sixty days by certbot (via cron job – instructions via above links), you will need to also restart EZproxy to make the renewed certificate be put into use. The file path should not change, so the symlinks should continue to work.

Feedback

Let me know if it works for you, or not!