<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 17 November 2015 at 09:22, Markus Sabadello <span dir="ltr"><<a href="mailto:markus@projectdanube.org" target="_blank">markus@projectdanube.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
So I received my closed beta invitation a few days ago and tried it
with my FreedomBox.<br>
Quick summary: It worked! See <a href="https://markus.freedombox.me/" target="_blank">https://markus.freedombox.me/</a><br>
<br>
Longer summary:<br>
<br>
1. I start by cloning <a href="https://github.com/letsencrypt/letsencrypt" target="_blank">https://github.com/letsencrypt/letsencrypt</a><br>
<br>
2. For verifying that you control your domain name, LE needs to
publish something on your web server.<br>
There are two options, either LE can temporarily reconfigure your
webserver (Apache), or it can temporarily run its own standalone
webserver.<br>
To me it seems the second option makes much more sense, because this
way LE doesn't have to touch your webserver's configuration.<br>
<br>
3. So I stop Apache: service apache2 stop<br>
<br>
4. Then I run<br>
./letsencrypt-auto certonly --server
<a href="https://acme-v01.api.letsencrypt.org/directory" target="_blank">https://acme-v01.api.letsencrypt.org/directory</a> --standalone -d
<a href="http://markus.freedombox.me" target="_blank">markus.freedombox.me</a><br>
<br>
It takes some time to download and install dependencies for LE.<br>
<br>
Ooops I got an error:<br>
<br>
<font face="monospace">Failed authorization procedure.
<a href="http://markus.freedombox.me" target="_blank">markus.freedombox.me</a> (tls-sni-01): connection :: The server could
not connect to the client for DV :: Failed to conne<br>
ct to host for DVSNI challenge<br>
<br>
IMPORTANT NOTES:<br>
- The following 'connection' errors were reported by the server:<br>
<br>
Domains: <a href="http://markus.freedombox.me" target="_blank">markus.freedombox.me</a><br>
Error: The server could not connect to the client for DV<br>
<br>
To fix these errors, please make sure that your domain name was<br>
entered correctly and the DNS A record(s) for that domain<br>
contain(s) the right IP address. Additionally, please check
that<br>
your computer has a publicly routable IP address and that no<br>
firewalls are preventing the server from communicating with the<br>
client.<br>
</font><br>
5. Don't know why the error happened, maybe because of some Pagekite
problem?<br>
Anyway, I just try the same LE command again, and this time it
worked:<br>
<br>
IMPORTANT NOTES:<br>
- Congratulations! Your certificate and chain have been saved at<br>
/etc/letsencrypt/live/<a href="http://markus.freedombox.me/fullchain.pem" target="_blank">markus.freedombox.me/fullchain.pem</a>. Your
cert<br>
will expire on 2016-02-15. To obtain a new version of the<br>
certificate in the future, simply run Let's Encrypt again.<br>
<br>
6. Now I update /etc/apache2/sites-available/default-tls.conf:<br>
<br>
<font face="monospace"> GnuTLSCertificateFile
/etc/ssl/certs/ssl-cert-letsencrypt.pem<br>
GnuTLSKeyFile /etc/ssl/private/ssl-cert-letsencrypt.key<br>
</font><br>
And /etc/apache2/sites/available/default-ssl.conf:<br>
<br>
<font face="monospace"> SSLCertificateFile
/etc/ssl/certs/ssl-cert-letsencrypt.pem<br>
SSLCertificateKeyFile
/etc/ssl/private/ssl-cert-letsencrypt.key<br>
</font><br>
7. I create symlinks:<br>
<br>
<font face="monospace"> ln -s
/etc/letsencrypt/live/<a href="http://markus.freedombox.me/privkey.pem" target="_blank">markus.freedombox.me/privkey.pem</a>
/etc/ssl/private/ssl-cert-letsencrypt.key<br>
ln -s /etc/letsencrypt/live/<a href="http://markus.freedombox.me/fullchain.pem" target="_blank">markus.freedombox.me/fullchain.pem</a>
/etc/ssl/certs/ssl-cert-letsencrypt.pem<br>
</font><br>
8. I start Apache again, and boom! It works, my LE certificate is in
place.<br>
<br>
=====<br>
<br>
NEXT STEPS / QUESTIONS?<br>
<br>
- Need to figure out how to integrate this with Plinth and first
boot. Certificates have to be renewed and can be revoked.<br>
<br>
- There are different ways of using LE. We could discuss whether LE
should update the Apache configuration directly, or if it should
rather not touch it.<br>
<br>
- There seems to be some existing work on a Debian package for LE, a
bit outdated, but at least it seems they are working on it:<br>
<a href="https://github.com/letsencrypt/letsencrypt/tree/debian" target="_blank">https://github.com/letsencrypt/letsencrypt/tree/debian</a><span class=""><font color="#888888"><br></font></span></div></blockquote><div><br></div><div>Similar experience for me. I was happy with the final results.<br></div><div><br>Public beta due for 3 December.<br><br></div><div>Note on subdomains, I think its limited to 1000. No wildcards.<br><br></div><div>I tested this also with client side certificate authentication and it works well. This means we can sign in to each other's web FBX with our SSH keys. I wrote a node script that puts an ssh key in the browser:<br><br><a href="https://github.com/gitpay/util/blob/master/opensshToX509.js">https://github.com/gitpay/util/blob/master/opensshToX509.js</a><br><br></div><div>Needs a bit of cleaning up, but essentially it works.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF"><span class=""><font color="#888888">
<br>
Markus<br>
<br>
</font></span></div>
<br>_______________________________________________<br>
Freedombox-discuss mailing list<br>
<a href="mailto:Freedombox-discuss@lists.alioth.debian.org">Freedombox-discuss@lists.alioth.debian.org</a><br>
<a href="http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss" rel="noreferrer" target="_blank">http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss</a><br></blockquote></div><br></div></div>