[Freedombox-discuss] First impression of Let's Encrypt (LE) for FreedomBox

Melvin Carvalho melvincarvalho at gmail.com
Tue Nov 17 10:43:18 UTC 2015

On 17 November 2015 at 09:22, Markus Sabadello <markus at projectdanube.org>

> So I received my closed beta invitation a few days ago and tried it with
> my FreedomBox.
> Quick summary: It worked! See https://markus.freedombox.me/
> Longer summary:
> 1. I start by cloning https://github.com/letsencrypt/letsencrypt
> 2. For verifying that you control your domain name, LE needs to publish
> something on your web server.
> There are two options, either LE can temporarily reconfigure your
> webserver (Apache), or it can temporarily run its own standalone webserver.
> To me it seems the second option makes much more sense, because this way
> LE doesn't have to touch your webserver's configuration.
> 3. So I stop Apache: service apache2 stop
> 4. Then I run
> ./letsencrypt-auto certonly --server
> https://acme-v01.api.letsencrypt.org/directory --standalone -d
> markus.freedombox.me
> It takes some time to download and install dependencies for LE.
> Ooops I got an error:
> Failed authorization procedure. markus.freedombox.me (tls-sni-01):
> connection :: The server could not connect to the client for DV :: Failed
> to conne
> ct to host for DVSNI challenge
>  - The following 'connection' errors were reported by the server:
>    Domains: markus.freedombox.me
>    Error: The server could not connect to the client for DV
>    To fix these errors, please make sure that your domain name was
>    entered correctly and the DNS A record(s) for that domain
>    contain(s) the right IP address. Additionally, please check that
>    your computer has a publicly routable IP address and that no
>    firewalls are preventing the server from communicating with the
>    client.
> 5. Don't know why the error happened, maybe because of some Pagekite
> problem?
> Anyway, I just try the same LE command again, and this time it worked:
>  - Congratulations! Your certificate and chain have been saved at
>    /etc/letsencrypt/live/markus.freedombox.me/fullchain.pem. Your cert
>    will expire on 2016-02-15. To obtain a new version of the
>    certificate in the future, simply run Let's Encrypt again.
> 6. Now I update /etc/apache2/sites-available/default-tls.conf:
>         GnuTLSCertificateFile   /etc/ssl/certs/ssl-cert-letsencrypt.pem
>         GnuTLSKeyFile /etc/ssl/private/ssl-cert-letsencrypt.key
> And /etc/apache2/sites/available/default-ssl.conf:
>         SSLCertificateFile      /etc/ssl/certs/ssl-cert-letsencrypt.pem
>         SSLCertificateKeyFile /etc/ssl/private/ssl-cert-letsencrypt.key
> 7. I create symlinks:
>  ln -s /etc/letsencrypt/live/markus.freedombox.me/privkey.pem
> /etc/ssl/private/ssl-cert-letsencrypt.key
>  ln -s /etc/letsencrypt/live/markus.freedombox.me/fullchain.pem
> /etc/ssl/certs/ssl-cert-letsencrypt.pem
> 8. I start Apache again, and boom! It works, my LE certificate is in place.
> =====
> - Need to figure out how to integrate this with Plinth and first boot.
> Certificates have to be renewed and can be revoked.
> - There are different ways of using LE. We could discuss whether LE should
> update the Apache configuration directly, or if it should rather not touch
> it.
> - There seems to be some existing work on a Debian package for LE, a bit
> outdated, but at least it seems they are working on it:
> https://github.com/letsencrypt/letsencrypt/tree/debian

Similar experience for me.  I was happy with the final results.

Public beta due for 3 December.

Note on subdomains, I think its limited to 1000.  No wildcards.

I tested this also with client side certificate authentication and it works
well.  This means we can sign in to each other's web FBX with our SSH
keys.  I wrote a node script that puts an ssh key in the browser:


Needs a bit of cleaning up, but essentially it works.

> Markus
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20151117/98ecbb89/attachment-0001.html>

More information about the Freedombox-discuss mailing list