<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
So I received my closed beta invitation a few days ago and tried it
with my FreedomBox.<br>
Quick summary: It worked! See <a class="moz-txt-link-freetext" href="https://markus.freedombox.me/">https://markus.freedombox.me/</a><br>
<br>
Longer summary:<br>
<br>
1. I start by cloning <a class="moz-txt-link-freetext" href="https://github.com/letsencrypt/letsencrypt">https://github.com/letsencrypt/letsencrypt</a><br>
<br>
2. For verifying that you control your domain name, LE needs to
publish something on your web server.<br>
There are two options, either LE can temporarily reconfigure your
webserver (Apache), or it can temporarily run its own standalone
webserver.<br>
To me it seems the second option makes much more sense, because this
way LE doesn't have to touch your webserver's configuration.<br>
<br>
3. So I stop Apache: service apache2 stop<br>
<br>
4. Then I run<br>
./letsencrypt-auto certonly --server
<a class="moz-txt-link-freetext" href="https://acme-v01.api.letsencrypt.org/directory">https://acme-v01.api.letsencrypt.org/directory</a> --standalone -d
markus.freedombox.me<br>
<br>
It takes some time to download and install dependencies for LE.<br>
<br>
Ooops I got an error:<br>
<br>
<font face="monospace">Failed authorization procedure.
markus.freedombox.me (tls-sni-01): connection :: The server could
not connect to the client for DV :: Failed to conne<br>
ct to host for DVSNI challenge<br>
<br>
IMPORTANT NOTES:<br>
- The following 'connection' errors were reported by the server:<br>
<br>
Domains: markus.freedombox.me<br>
Error: The server could not connect to the client for DV<br>
<br>
To fix these errors, please make sure that your domain name was<br>
entered correctly and the DNS A record(s) for that domain<br>
contain(s) the right IP address. Additionally, please check
that<br>
your computer has a publicly routable IP address and that no<br>
firewalls are preventing the server from communicating with the<br>
client.<br>
</font><br>
5. Don't know why the error happened, maybe because of some Pagekite
problem?<br>
Anyway, I just try the same LE command again, and this time it
worked:<br>
<br>
IMPORTANT NOTES:<br>
- Congratulations! Your certificate and chain have been saved at<br>
/etc/letsencrypt/live/markus.freedombox.me/fullchain.pem. Your
cert<br>
will expire on 2016-02-15. To obtain a new version of the<br>
certificate in the future, simply run Let's Encrypt again.<br>
<br>
6. Now I update /etc/apache2/sites-available/default-tls.conf:<br>
<br>
<font face="monospace"> GnuTLSCertificateFile
/etc/ssl/certs/ssl-cert-letsencrypt.pem<br>
GnuTLSKeyFile /etc/ssl/private/ssl-cert-letsencrypt.key<br>
</font><br>
And /etc/apache2/sites/available/default-ssl.conf:<br>
<br>
<font face="monospace"> SSLCertificateFile
/etc/ssl/certs/ssl-cert-letsencrypt.pem<br>
SSLCertificateKeyFile
/etc/ssl/private/ssl-cert-letsencrypt.key<br>
</font><br>
7. I create symlinks:<br>
<br>
<font face="monospace"> ln -s
/etc/letsencrypt/live/markus.freedombox.me/privkey.pem
/etc/ssl/private/ssl-cert-letsencrypt.key<br>
ln -s /etc/letsencrypt/live/markus.freedombox.me/fullchain.pem
/etc/ssl/certs/ssl-cert-letsencrypt.pem<br>
</font><br>
8. I start Apache again, and boom! It works, my LE certificate is in
place.<br>
<br>
=====<br>
<br>
NEXT STEPS / QUESTIONS?<br>
<br>
- Need to figure out how to integrate this with Plinth and first
boot. Certificates have to be renewed and can be revoked.<br>
<br>
- There are different ways of using LE. We could discuss whether LE
should update the Apache configuration directly, or if it should
rather not touch it.<br>
<br>
- There seems to be some existing work on a Debian package for LE, a
bit outdated, but at least it seems they are working on it:<br>
<a class="moz-txt-link-freetext" href="https://github.com/letsencrypt/letsencrypt/tree/debian">https://github.com/letsencrypt/letsencrypt/tree/debian</a><br>
<br>
Markus<br>
<br>
</body>
</html>