Menu
▾
▴
[Astlinux-devel] LetsEncrypt trusted certificates
|
From: David K. <da...@ke...> - 2017-01-09 17:41:15
|
Devs, One of the things that has been bugging me for a while is that AstLinux HTTPS self signed certificates are not trusted by browsers. I would really like to have AstLinux use trusted certificates but until recently that has meant paying real $$$'s to a CA. A couple of years ago a non-profit org was set up, LetsEncrypt.org, to remove this barrier and encourage everyone to use HTTPS for their web servers. It has now matured to a point where it might make sense to adopt it in AstLinux. I have been investigating how easy it would be to have AstLinux use trusted certificates from LetsEncrypt. Here is an initial analysis... Before LetsEncrypt will issue you a certificate it has to validate that you are who you say you are. So if you ask for a certificate for example.com then it needs to ensure that your really are example.com. There are a couple of options for this. First it does a DNS lookup on example.com and then either... 1. Uses HTTP to example.com with challenge/response that validates that you own the webserver at example.com. It will ONLY do this over port 80 (or 443, but that is catch 22). There are many requests online that they support another port but ostensibly for security reasons they refuse to do that. Pressure is building on them, but so far no change. 2. Uses a TXT record at your DNS registrar... it asks the client (certbot/acme/dehydrated/whatever) to add a TXT record to the example.com DNS server entries then it validates that the TXT entry is indeed there. Then client is asked to delete the TXT record. It does not perform validation every time you request a certificate... if you are already validated then it can skip that part of the process. I do not know how often it needs to revalidate, but I assume that on certificate expiration it will revalidate when you ask for a renew (certs are valid for 90 days, they recommend renew at 60 days). The simplest is the HTTP method and is what I used for testing. But... - AstLinux is a router. If port 80 is NAT forwarded then it won't work. - If you don't have port 80 open (firewall blocked) then it won't work. - They don't publish their IP addresses so you cannot add firewall rule just for them (and they state that their IPs may change or they may use multiple servers at their end so don't rely on that). - You can have lighttpd special handle the request from LetsEncrypt and redirect it. But of course requires port 80 to be open. For one-off issuing of the certificate we could probably live with temporarily opening port 80 and/or adjusting firewall rules but doing this automatically every 60 days may become problematic. I need to give more thought to this. So for AstLinux it feels like the DNS TXT record method might be better. The acme.sh client (which is what I used for testing... https://github.com/Neilpang/acme.sh)has support for several DNS services and you can add support yourself for those not provided (and presumably contribute back). The service I use (freedns.afraid.org) is not yet among the ones acme.sh support. Nor is google domains. So I have not tested this method yet. I have not looked at other clients but acme.sh seems to be a pretty solid one. Their "official" client, certbot, looked more complicated than I wanted to deal with for testing purposes. Would love to get folks opinion on this topic and thoughts on how best to implement. David |
