[Freedombox-discuss] First impression of Let's Encrypt (LE) for FreedomBox

Melvin Carvalho melvincarvalho at gmail.com
Tue Nov 17 10:43:18 UTC 2015 

On 17 November 2015 at 09:22, Markus Sabadello <markus at projectdanube.org>
wrote:

> So I received my closed beta invitation a few days ago and tried it with
> my FreedomBox.
> Quick summary: It worked! See https://markus.freedombox.me/
>
> Longer summary:
>
> 1. I start by cloning https://github.com/letsencrypt/letsencrypt
>
> 2. For verifying that you control your domain name, LE needs to publish
> something on your web server.
> There are two options, either LE can temporarily reconfigure your
> webserver (Apache), or it can temporarily run its own standalone webserver.
> To me it seems the second option makes much more sense, because this way
> LE doesn't have to touch your webserver's configuration.
>
> 3. So I stop Apache: service apache2 stop
>
> 4. Then I run
> ./letsencrypt-auto certonly --server
> https://acme-v01.api.letsencrypt.org/directory --standalone -d
> markus.freedombox.me
>
> It takes some time to download and install dependencies for LE.
>
> Ooops I got an error:
>
> Failed authorization procedure. markus.freedombox.me (tls-sni-01):
> connection :: The server could not connect to the client for DV :: Failed
> to conne
> ct to host for DVSNI challenge
>
> IMPORTANT NOTES:
>  - The following 'connection' errors were reported by the server:
>
>    Domains: markus.freedombox.me
>    Error: The server could not connect to the client for DV
>
>    To fix these errors, please make sure that your domain name was
>    entered correctly and the DNS A record(s) for that domain
>    contain(s) the right IP address. Additionally, please check that
>    your computer has a publicly routable IP address and that no
>    firewalls are preventing the server from communicating with the
>    client.
>
> 5. Don't know why the error happened, maybe because of some Pagekite
> problem?
> Anyway, I just try the same LE command again, and this time it worked:
>
> IMPORTANT NOTES:
>  - Congratulations! Your certificate and chain have been saved at
>    /etc/letsencrypt/live/markus.freedombox.me/fullchain.pem. Your cert
>    will expire on 2016-02-15. To obtain a new version of the
>    certificate in the future, simply run Let's Encrypt again.
>
> 6. Now I update /etc/apache2/sites-available/default-tls.conf:
>
>         GnuTLSCertificateFile   /etc/ssl/certs/ssl-cert-letsencrypt.pem
>         GnuTLSKeyFile /etc/ssl/private/ssl-cert-letsencrypt.key
>
> And /etc/apache2/sites/available/default-ssl.conf:
>
>         SSLCertificateFile      /etc/ssl/certs/ssl-cert-letsencrypt.pem
>         SSLCertificateKeyFile /etc/ssl/private/ssl-cert-letsencrypt.key
>
> 7. I create symlinks:
>
>  ln -s /etc/letsencrypt/live/markus.freedombox.me/privkey.pem
> /etc/ssl/private/ssl-cert-letsencrypt.key
>  ln -s /etc/letsencrypt/live/markus.freedombox.me/fullchain.pem
> /etc/ssl/certs/ssl-cert-letsencrypt.pem
>
> 8. I start Apache again, and boom! It works, my LE certificate is in place.
>
> =====
>
> NEXT STEPS / QUESTIONS?
>
> - Need to figure out how to integrate this with Plinth and first boot.
> Certificates have to be renewed and can be revoked.
>
> - There are different ways of using LE. We could discuss whether LE should
> update the Apache configuration directly, or if it should rather not touch
> it.
>
> - There seems to be some existing work on a Debian package for LE, a bit
> outdated, but at least it seems they are working on it:
> https://github.com/letsencrypt/letsencrypt/tree/debian
>

Similar experience for me.  I was happy with the final results.

Public beta due for 3 December.

Note on subdomains, I think its limited to 1000.  No wildcards.

I tested this also with client side certificate authentication and it works
well.  This means we can sign in to each other's web FBX with our SSH
keys.  I wrote a node script that puts an ssh key in the browser:

https://github.com/gitpay/util/blob/master/opensshToX509.js

Needs a bit of cleaning up, but essentially it works.


>
> Markus
>
>
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20151117/98ecbb89/attachment-0001.html>

More information about the Freedombox-discuss mailing list