So I received my closed beta invitation a few days ago and tried it with my FreedomBox. Quick summary: It worked! See https://markus.freedombox.me/
Longer summary: 1. I start by cloning https://github.com/letsencrypt/letsencrypt 2. For verifying that you control your domain name, LE needs to publish something on your web server. There are two options, either LE can temporarily reconfigure your webserver (Apache), or it can temporarily run its own standalone webserver. To me it seems the second option makes much more sense, because this way LE doesn't have to touch your webserver's configuration. 3. So I stop Apache: service apache2 stop 4. Then I run ./letsencrypt-auto certonly --server https://acme-v01.api.letsencrypt.org/directory --standalone -d markus.freedombox.me It takes some time to download and install dependencies for LE. Ooops I got an error: Failed authorization procedure. markus.freedombox.me (tls-sni-01): connection :: The server could not connect to the client for DV :: Failed to conne ct to host for DVSNI challenge IMPORTANT NOTES: - The following 'connection' errors were reported by the server: Domains: markus.freedombox.me Error: The server could not connect to the client for DV To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. 5. Don't know why the error happened, maybe because of some Pagekite problem? Anyway, I just try the same LE command again, and this time it worked: IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/markus.freedombox.me/fullchain.pem. Your cert will expire on 2016-02-15. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. 6. Now I update /etc/apache2/sites-available/default-tls.conf: GnuTLSCertificateFile /etc/ssl/certs/ssl-cert-letsencrypt.pem GnuTLSKeyFile /etc/ssl/private/ssl-cert-letsencrypt.key And /etc/apache2/sites/available/default-ssl.conf: SSLCertificateFile /etc/ssl/certs/ssl-cert-letsencrypt.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-letsencrypt.key 7. I create symlinks: ln -s /etc/letsencrypt/live/markus.freedombox.me/privkey.pem /etc/ssl/private/ssl-cert-letsencrypt.key ln -s /etc/letsencrypt/live/markus.freedombox.me/fullchain.pem /etc/ssl/certs/ssl-cert-letsencrypt.pem 8. I start Apache again, and boom! It works, my LE certificate is in place. ===== NEXT STEPS / QUESTIONS? - Need to figure out how to integrate this with Plinth and first boot. Certificates have to be renewed and can be revoked. - There are different ways of using LE. We could discuss whether LE should update the Apache configuration directly, or if it should rather not touch it. - There seems to be some existing work on a Debian package for LE, a bit outdated, but at least it seems they are working on it: https://github.com/letsencrypt/letsencrypt/tree/debian Markus
_______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
