On 17 November 2015 at 09:22, Markus Sabadello <[email protected]> wrote:
> So I received my closed beta invitation a few days ago and tried it with > my FreedomBox. > Quick summary: It worked! See https://markus.freedombox.me/ > > Longer summary: > > 1. I start by cloning https://github.com/letsencrypt/letsencrypt > > 2. For verifying that you control your domain name, LE needs to publish > something on your web server. > There are two options, either LE can temporarily reconfigure your > webserver (Apache), or it can temporarily run its own standalone webserver. > To me it seems the second option makes much more sense, because this way > LE doesn't have to touch your webserver's configuration. > > 3. So I stop Apache: service apache2 stop > > 4. Then I run > ./letsencrypt-auto certonly --server > https://acme-v01.api.letsencrypt.org/directory --standalone -d > markus.freedombox.me > > It takes some time to download and install dependencies for LE. > > Ooops I got an error: > > Failed authorization procedure. markus.freedombox.me (tls-sni-01): > connection :: The server could not connect to the client for DV :: Failed > to conne > ct to host for DVSNI challenge > > IMPORTANT NOTES: > - The following 'connection' errors were reported by the server: > > Domains: markus.freedombox.me > Error: The server could not connect to the client for DV > > To fix these errors, please make sure that your domain name was > entered correctly and the DNS A record(s) for that domain > contain(s) the right IP address. Additionally, please check that > your computer has a publicly routable IP address and that no > firewalls are preventing the server from communicating with the > client. > > 5. Don't know why the error happened, maybe because of some Pagekite > problem? > Anyway, I just try the same LE command again, and this time it worked: > > IMPORTANT NOTES: > - Congratulations! Your certificate and chain have been saved at > /etc/letsencrypt/live/markus.freedombox.me/fullchain.pem. Your cert > will expire on 2016-02-15. To obtain a new version of the > certificate in the future, simply run Let's Encrypt again. > > 6. Now I update /etc/apache2/sites-available/default-tls.conf: > > GnuTLSCertificateFile /etc/ssl/certs/ssl-cert-letsencrypt.pem > GnuTLSKeyFile /etc/ssl/private/ssl-cert-letsencrypt.key > > And /etc/apache2/sites/available/default-ssl.conf: > > SSLCertificateFile /etc/ssl/certs/ssl-cert-letsencrypt.pem > SSLCertificateKeyFile /etc/ssl/private/ssl-cert-letsencrypt.key > > 7. I create symlinks: > > ln -s /etc/letsencrypt/live/markus.freedombox.me/privkey.pem > /etc/ssl/private/ssl-cert-letsencrypt.key > ln -s /etc/letsencrypt/live/markus.freedombox.me/fullchain.pem > /etc/ssl/certs/ssl-cert-letsencrypt.pem > > 8. I start Apache again, and boom! It works, my LE certificate is in place. > > ===== > > NEXT STEPS / QUESTIONS? > > - Need to figure out how to integrate this with Plinth and first boot. > Certificates have to be renewed and can be revoked. > > - There are different ways of using LE. We could discuss whether LE should > update the Apache configuration directly, or if it should rather not touch > it. > > - There seems to be some existing work on a Debian package for LE, a bit > outdated, but at least it seems they are working on it: > https://github.com/letsencrypt/letsencrypt/tree/debian > Similar experience for me. I was happy with the final results. Public beta due for 3 December. Note on subdomains, I think its limited to 1000. No wildcards. I tested this also with client side certificate authentication and it works well. This means we can sign in to each other's web FBX with our SSH keys. I wrote a node script that puts an ssh key in the browser: https://github.com/gitpay/util/blob/master/opensshToX509.js Needs a bit of cleaning up, but essentially it works. > > Markus > > > _______________________________________________ > Freedombox-discuss mailing list > [email protected] > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss >
_______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
