[Freedombox-discuss] First impression of Let's Encrypt (LE) for FreedomBox
melvincarvalho at gmail.com
Tue Nov 17 10:43:18 UTC 2015
On 17 November 2015 at 09:22, Markus Sabadello <markus at projectdanube.org>
> So I received my closed beta invitation a few days ago and tried it with
> my FreedomBox.
> Quick summary: It worked! See https://markus.freedombox.me/
> Longer summary:
> 1. I start by cloning https://github.com/letsencrypt/letsencrypt
> 2. For verifying that you control your domain name, LE needs to publish
> something on your web server.
> There are two options, either LE can temporarily reconfigure your
> webserver (Apache), or it can temporarily run its own standalone webserver.
> To me it seems the second option makes much more sense, because this way
> LE doesn't have to touch your webserver's configuration.
> 3. So I stop Apache: service apache2 stop
> 4. Then I run
> ./letsencrypt-auto certonly --server
> https://acme-v01.api.letsencrypt.org/directory --standalone -d
> It takes some time to download and install dependencies for LE.
> Ooops I got an error:
> Failed authorization procedure. markus.freedombox.me (tls-sni-01):
> connection :: The server could not connect to the client for DV :: Failed
> to conne
> ct to host for DVSNI challenge
> IMPORTANT NOTES:
> - The following 'connection' errors were reported by the server:
> Domains: markus.freedombox.me
> Error: The server could not connect to the client for DV
> To fix these errors, please make sure that your domain name was
> entered correctly and the DNS A record(s) for that domain
> contain(s) the right IP address. Additionally, please check that
> your computer has a publicly routable IP address and that no
> firewalls are preventing the server from communicating with the
> 5. Don't know why the error happened, maybe because of some Pagekite
> Anyway, I just try the same LE command again, and this time it worked:
> IMPORTANT NOTES:
> - Congratulations! Your certificate and chain have been saved at
> /etc/letsencrypt/live/markus.freedombox.me/fullchain.pem. Your cert
> will expire on 2016-02-15. To obtain a new version of the
> certificate in the future, simply run Let's Encrypt again.
> 6. Now I update /etc/apache2/sites-available/default-tls.conf:
> GnuTLSCertificateFile /etc/ssl/certs/ssl-cert-letsencrypt.pem
> GnuTLSKeyFile /etc/ssl/private/ssl-cert-letsencrypt.key
> And /etc/apache2/sites/available/default-ssl.conf:
> SSLCertificateFile /etc/ssl/certs/ssl-cert-letsencrypt.pem
> SSLCertificateKeyFile /etc/ssl/private/ssl-cert-letsencrypt.key
> 7. I create symlinks:
> ln -s /etc/letsencrypt/live/markus.freedombox.me/privkey.pem
> ln -s /etc/letsencrypt/live/markus.freedombox.me/fullchain.pem
> 8. I start Apache again, and boom! It works, my LE certificate is in place.
> NEXT STEPS / QUESTIONS?
> - Need to figure out how to integrate this with Plinth and first boot.
> Certificates have to be renewed and can be revoked.
> - There are different ways of using LE. We could discuss whether LE should
> update the Apache configuration directly, or if it should rather not touch
> - There seems to be some existing work on a Debian package for LE, a bit
> outdated, but at least it seems they are working on it:
Similar experience for me. I was happy with the final results.
Public beta due for 3 December.
Note on subdomains, I think its limited to 1000. No wildcards.
I tested this also with client side certificate authentication and it works
well. This means we can sign in to each other's web FBX with our SSH
keys. I wrote a node script that puts an ssh key in the browser:
Needs a bit of cleaning up, but essentially it works.
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Freedombox-discuss