Let’s Encrypt [Part I]

Using “Let’s Encrypt” certificates with SAP/HANA web dispatcher and XSA on an Azure deployment for SSL communication.

_____________________________________________________________________________________

In our POC environment where we installed an SAP/HANA and BW4HANA on virtual machines deployed on Azure, we wanted to use secured HTTP communication with the HANA web dispatcher and XSA environment. Our deployments of SAP/HANA and BW4HANA are on Red Hat Linux servers and everything in this document is Linux related.

We decided to use Let’s Encrypt certificates as they are trusted as a CA by most common browsers and are free of charge.

https://community.letsencrypt.org/t/which-browsers-and-operating-systems-support-lets-encrypt/4394.

The public necessary FQDN information for the SAP/HANA and BW4HANA was put in place on the Azure DNS by our team administrating the Azure cloud environment and are not part of this blog. In order to request the necessary certificates from Let’s encrypt the following acme-client was used

https://github.com/acmesh-official/acme.sh

In order for the tool to request the certificates for the required domains, Let’s encrypt wants to validate that the domains are really owned by yourself. There are several methods possible, in our case, the validation is against the Azure DNS. The requirements for Let’s Encrypt to be able to do the validation against the Azure DNS is described here.

https://github.com/acmesh-official/acme.sh/wiki/How-to-use-Azure-DNS

Once the acme is installed you can issue a request for certifying the required domains.

acme.sh –issue –dns dns_azure -d xsa.hana.mydomain.eu -d ‘*.xsa.hana.mydomain.eu’ -d ‘hana.mydomain.eu’

One of the inconveniences of Let’s Encrypt is that the validation period of the certificates is limited to 3 months, meaning they will have to be signed and reapplied to the web dispatcher and XSA environment at least every three months. The following script is an automation of this process. I’ll break down the different steps being performed.

But before doing the breakdown of the script, I did the following preparation for the script to run properly. I created a directory acme under the $SECUDIR folder. The purpose of this directory is that the script will copy the acme generated files to one central directory. Additionally, I have downloaded the root and intermediate certificates from the Let’s Encrypt website because they are needed to sign the server certificates. The root and intermediate certificates can be downloaded from the following link

https://letsencrypt.org/certificates/

Download the “ISRG Root X1” and the “Let’s Encrypt Authority R3” pem files (make sure to take the active ones). I renamed the respectively as “isgrootx1.cer” and “x3.cer” and placed them in the $SECUDIR/acme folder. Be aware that the root and intermediate certificates also have an expiration date (these certificates are valid over several years) and that they are still active. You should download these certificates again once they have expired.

width=

Next is the complete script I wrote. Place it somewhere where it can be executed by the sap administrator user.

width=

In the next blog, Pascal will breakdown the script. Keep an eye on our website!