[Freedombox-discuss] First impression of Let's Encrypt (LE) for FreedomBox

Markus Sabadello markus at projectdanube.org
Tue Nov 17 08:22:20 UTC 2015 

So I received my closed beta invitation a few days ago and tried it with
my FreedomBox.
Quick summary: It worked! See https://markus.freedombox.me/

Longer summary:

1. I start by cloning https://github.com/letsencrypt/letsencrypt

2. For verifying that you control your domain name, LE needs to publish
something on your web server.
There are two options, either LE can temporarily reconfigure your
webserver (Apache), or it can temporarily run its own standalone webserver.
To me it seems the second option makes much more sense, because this way
LE doesn't have to touch your webserver's configuration.

3. So I stop Apache: service apache2 stop

4. Then I run
./letsencrypt-auto certonly --server
https://acme-v01.api.letsencrypt.org/directory --standalone -d
markus.freedombox.me

It takes some time to download and install dependencies for LE.

Ooops I got an error:

Failed authorization procedure. markus.freedombox.me (tls-sni-01):
connection :: The server could not connect to the client for DV ::
Failed to conne
ct to host for DVSNI challenge

IMPORTANT NOTES:
 - The following 'connection' errors were reported by the server:

   Domains: markus.freedombox.me
   Error: The server could not connect to the client for DV

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client.
 
5. Don't know why the error happened, maybe because of some Pagekite
problem?
Anyway, I just try the same LE command again, and this time it worked:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/markus.freedombox.me/fullchain.pem. Your cert
   will expire on 2016-02-15. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.

6. Now I update /etc/apache2/sites-available/default-tls.conf:

        GnuTLSCertificateFile   /etc/ssl/certs/ssl-cert-letsencrypt.pem
        GnuTLSKeyFile /etc/ssl/private/ssl-cert-letsencrypt.key

And /etc/apache2/sites/available/default-ssl.conf:

        SSLCertificateFile      /etc/ssl/certs/ssl-cert-letsencrypt.pem
        SSLCertificateKeyFile /etc/ssl/private/ssl-cert-letsencrypt.key

7. I create symlinks:

 ln -s /etc/letsencrypt/live/markus.freedombox.me/privkey.pem
/etc/ssl/private/ssl-cert-letsencrypt.key
 ln -s /etc/letsencrypt/live/markus.freedombox.me/fullchain.pem
/etc/ssl/certs/ssl-cert-letsencrypt.pem

8. I start Apache again, and boom! It works, my LE certificate is in place.

=====

NEXT STEPS / QUESTIONS?

- Need to figure out how to integrate this with Plinth and first boot.
Certificates have to be renewed and can be revoked.

- There are different ways of using LE. We could discuss whether LE
should update the Apache configuration directly, or if it should rather
not touch it.

- There seems to be some existing work on a Debian package for LE, a bit
outdated, but at least it seems they are working on it:
https://github.com/letsencrypt/letsencrypt/tree/debian

Markus

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20151117/9c1319bc/attachment.html>

More information about the Freedombox-discuss mailing list