Let’s encrypt automation on Debian (opens in new tab)

(eblog.damia.net)

100 pointsnereid66610y ago29 comments

29 comments

FYI, if you don't want to install all the dependencies of the official letsencrypt client, I made a <200 line python script that automates issuing and renewing certificates. Love the Let's Encrypt project, but really don't want to install all those dependencies on my server just to get a free cert.

https://github.com/diafygi/acme-tiny

joshmoz10y ago

Head of Let's Encrypt here. I don't love the number of dependencies for our client either, we're going to work to reduce them.

diafygi10y ago

No worries! Every time I see a Let's Encrypt thread on HN, there's always complaining about having to trust the official client with root access, webserver configs, dependencies, or whatever. So I made my clients (letsencrypt-nosudo, gethttpsforfree.com, acme-tiny) to shut those people up. My clients are not intended to serve the wider Let's Encrypt target audience, who probably don't know what a CSR is. But for those who do, I made clients that don't ask for the access/trust that the official client needs to serve its target audience.

Thanks for making Let's Encrypt and ACME!

1 more reply

sinatra10y ago

Maybe you can consider getting someone at Let's Encrypt review diafygi's acme-tiny code and, if approved, propose it as an alternative on the Let's Encrypt site. This will be very useful for users who get turned off by the root requirement or the number of dependencies.

davexunit10y ago

Great! I did some work packaging the official Let's Encrypt client for GNU Guix and the dependency graph (complete with circular dependencies in all of the Zope mess) is absurdly huge. Definitely going to give this a try.

StavrosK10y ago

This is my recommended client as well. Easy to use, easy to script, completely automatic. Well done.

nereid666OP10y ago

Very useful. Thx!

schoen10y ago

Most people shouldn't need both cert.pem and fullchain.pem, because fullchain.pem is "full" because it also contains a copy of cert.pem (unlike chain.pem, which doesn't). (I chose these names for the structure of Let's Encrypt's certificate storage.)

azdle10y ago

For anyone that wants to do this w/ nginx, you can add this location configuration to any "server" block for the challenge portion:

        location /.well-known/acme-challenge/ {
		alias		/var/www/acme-webroot/.well-known/acme-challenge/;
	}

Then use this this tool from mozilla to get a configuration for installing the cert: https://mozilla.github.io/server-side-tls/ssl-config-generat...

IshKebab10y ago

I really hope letsencrypt doesn't delay the real solution - DANE.

ymse10y ago

I was not familiar with DANE:

https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Na...

Until the CA system is completely abolished, this appears to works great with LE -- free certificates and a guarantee that no other CA can impersonate you.

The ACME protocol could conceivably be extended to update SRV records along with the certificate for some DNS providers.

_yy10y ago

It's not a good solution.

https://www.imperialviolet.org/2015/01/17/notdane.html

IshKebab10y ago

The TL;DR of that is:

1. DNSSEC uses a lot of 1024-bit RSA signatures (those are relatively weak) 2. You can't monitor the certificates that CA's issue because anyone issue their own certificates.

The first issue seems valid, but fixable. The second is a weird thing to complain about because it is the entire point of DANE!

1 more reply

hannob10y ago

DANE certainly is not the real solution. The solution is to deploy HPKP and require CT in the future.

xorcist10y ago

HPKP is entirely complementary to DANE.

wyldfire10y ago

Remedial question, for the unfamiliar folks: how do I establish a bootstrap trust w/DNSSEC? Does it require backwards-incompatible changes at the root?

xorcist10y ago

The short story is that it's part of the root now, which is something resolvers ship with.

StavrosK10y ago

Isn't Let's Encrypt supposed to launch the open beta today? Let's hope it actually happens...

metachris10y ago

You can sign up for the private beta and get access pretty quickly: https://docs.google.com/a/allaboutapps.at/forms/d/15Ucm4A20y...

finnn10y ago

Let's Encrypt's closed beta is no longer accepting new applicants [0], but they are launching the public beta in just under 2 hours (6PM GMT/10AM PST)[1] at the time of this writing.

[0]: https://community.letsencrypt.org/t/beta-program-announcemen...

[1]: https://letsencrypt.status.io/pages/maintenance/55957a99e800...

StavrosK10y ago

I signed up for a few domains early on and they were enabled, I signed up for two more two days ago but haven't heard back yet.

1 more reply

azdle10y ago

I doubt they're even going to approve any more in the next hour and a half before they flip it to the public beta.

ausjke10y ago

This might be a dumb question, after I auto-generate all those ssl certs, how am I going to certify it at some CA? so that all browser will not pop up a warning page when the ssl-site is accessed? What's the key difference between letsencrypt and self-signed ssl certificate?

diafygi10y ago

The certificates that Let's Encrypt issues are cross-signed by IdenTrust (a real CA) so browsers should trust the certificate you get from Let's Encrypt. NOTE: just like with other TLS certs, you will need to include the Let's Encrypt intermediate certificate in your webserver config so that it can be chained back to IdenTrust.

EDIT: IdenTrust, not Entrust, sorry!

joshmoz10y ago

Let's Encrypt is cross-signed by IdenTrust, not Entrust.

Gurrewe10y ago

Letsencrypt is a trusted CA. https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted.h...

j / k navigate · click thread line to collapse

29 comments

diafygi10y ago

https://github.com/diafygi/acme-tiny

joshmoz10y ago

Head of Let's Encrypt here. I don't love the number of dependencies for our client either, we're going to work to reduce them.

diafygi10y ago

Thanks for making Let's Encrypt and ACME!

1 more reply

sinatra10y ago

davexunit10y ago

StavrosK10y ago

This is my recommended client as well. Easy to use, easy to script, completely automatic. Well done.

nereid666OP10y ago

Very useful. Thx!

schoen10y ago

azdle10y ago

For anyone that wants to do this w/ nginx, you can add this location configuration to any "server" block for the challenge portion:

        location /.well-known/acme-challenge/ {
		alias		/var/www/acme-webroot/.well-known/acme-challenge/;
	}

Then use this this tool from mozilla to get a configuration for installing the cert: https://mozilla.github.io/server-side-tls/ssl-config-generat...

IshKebab10y ago

I really hope letsencrypt doesn't delay the real solution - DANE.

ymse10y ago

I was not familiar with DANE:

https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Na...

Until the CA system is completely abolished, this appears to works great with LE -- free certificates and a guarantee that no other CA can impersonate you.

The ACME protocol could conceivably be extended to update SRV records along with the certificate for some DNS providers.

_yy10y ago

It's not a good solution.

https://www.imperialviolet.org/2015/01/17/notdane.html

IshKebab10y ago

The TL;DR of that is:

1. DNSSEC uses a lot of 1024-bit RSA signatures (those are relatively weak) 2. You can't monitor the certificates that CA's issue because anyone issue their own certificates.

The first issue seems valid, but fixable. The second is a weird thing to complain about because it is the entire point of DANE!

1 more reply

hannob10y ago

DANE certainly is not the real solution. The solution is to deploy HPKP and require CT in the future.

xorcist10y ago

HPKP is entirely complementary to DANE.

wyldfire10y ago

Remedial question, for the unfamiliar folks: how do I establish a bootstrap trust w/DNSSEC? Does it require backwards-incompatible changes at the root?

xorcist10y ago

The short story is that it's part of the root now, which is something resolvers ship with.

StavrosK10y ago

Isn't Let's Encrypt supposed to launch the open beta today? Let's hope it actually happens...

metachris10y ago

You can sign up for the private beta and get access pretty quickly: https://docs.google.com/a/allaboutapps.at/forms/d/15Ucm4A20y...

finnn10y ago

Let's Encrypt's closed beta is no longer accepting new applicants [0], but they are launching the public beta in just under 2 hours (6PM GMT/10AM PST)[1] at the time of this writing.

[0]: https://community.letsencrypt.org/t/beta-program-announcemen...

[1]: https://letsencrypt.status.io/pages/maintenance/55957a99e800...

StavrosK10y ago

I signed up for a few domains early on and they were enabled, I signed up for two more two days ago but haven't heard back yet.

1 more reply

azdle10y ago

I doubt they're even going to approve any more in the next hour and a half before they flip it to the public beta.

ausjke10y ago

diafygi10y ago

EDIT: IdenTrust, not Entrust, sorry!

joshmoz10y ago

Let's Encrypt is cross-signed by IdenTrust, not Entrust.

Gurrewe10y ago

Letsencrypt is a trusted CA. https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted.h...

j / k navigate · click thread line to collapse