Re: [Astlinux-devel] LetsEncrypt trusted certificates

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Great work David.

I'd suggest adding two lines, since HTTPSCERT includes a private key set mode 600, and add a sleep 1 to allow the stopping of lighttpd to settle down.
--
  if [ -n "$HTTPSCERT" ]; then
    service lighttpd stop
    cat "$_ckey" "$_ccert" > "$HTTPSCERT"
+  chmod 600 "$HTTPSCERT"
    if [ -n "$HTTPSCHAIN" ]; then
      cat "$_cfullchain" > "$HTTPSCHAIN"
    fi
+  sleep 1
    service lighttpd init
  fi
--

BTW, I independently spent a couple hours researching ACME clients and came to the same conclusion as you acme.sh  https://github.com/Neilpang/acme.sh is the best for AstLinux, and seems to be one of the only clients that supports DNS TXT validation.  Also pfSense has recently decided to use acme.sh as well.

acme.sh uses vanilla shell, curl and openssl as dependencies, perfect for us.

As you suggested David, we probably should add this to the build system ... a work in progress and disabled by default.

My thoughts on naming ...

package "acme"

/etc/acme -> /mnt/kd/acme/

/etc/ssl/acme -> /mnt/kd/ssl/acme/

Possibly Install into /stat/etc/acme/ and run under /mnt/kd/acme/ but this is looking tricky to do at build time as acme.sh --install tries to be "smart" and is more of a target method.

Hmmm, more thinking required ...  possibly we can set USER_PATH="/mnt/kd/acme" and act like IN_CRON=1 .

Lonnie

On Jan 11, 2017, at 9:10 PM, David Kerr <Da...@Ke...> wrote:

> Thanks Lonnie.  I now have a trusted certificate working for lighttpd HTTPS on AstLinux.  Here is what I did...
> 
> Add HTTPSCHAIN=/mnt/kd/ssl/https_ca_chain.pem to user.conf
> 
> Install acme.sh (see https://github.com/Neilpang/acme.sh) on my astlinux.  From ~ (root home)...
> 
> curl https://codeload.github.com/Neilpang/acme.sh/tar.gz/master > acme.sh-master.tar.gz
> tar xzf acme.sh-master.tar.gz
> cd acme.sh-master
> ./acme.sh --install --home /etc/acme.sh --accountemail "your@email.here" --useragent "AstLinux"
> 
> The process of installing should ideally be done as part of AstLinux build... we could add a package "letsencrypt" which gets acme.sh and places it into the right directory (I chose /etc/acme.sh).  Though the last part which sets account email would have to be done later.  Note that the install process adds a crontab as well which is needed for auto renew.
> 
> Add a script file...  /etc/acme.sh/deploy/astlinux.sh which contains the following (modeled on their template)...
> 
> #!/usr/bin/env bash
> 
> #Here is a sample custom api script.
> #This file name is "myapi.sh"
> #So, here must be a method   myapi_deploy()
> #Which will be called by acme.sh to deploy the cert
> #returns 0 means success, otherwise error.
> 
> . /etc/rc.conf
> 
> ########  Public functions #####################
> 
> #domain keyfile certfile cafile fullchain
> astlinux_deploy() {
>   _cdomain="$1"
>   _ckey="$2"
>   _ccert="$3"
>   _cca="$4"
>   _cfullchain="$5"
> 
>   _debug _cdomain "$_cdomain"
>   _debug _ckey "$_ckey"
>   _debug _ccert "$_ccert"
>   _debug _cca "$_cca"
>   _debug _cfullchain "$_cfullchain"
> 
>   if [ -n "$HTTPSCERT" ]; then
>     service lighttpd stop
>     cat "$_ckey" "$_ccert" > "$HTTPSCERT"
>     if [ -n "$HTTPSCHAIN" ]; then
>       cat "$_cfullchain" > "$HTTPSCHAIN"
>     fi
>     service lighttpd init
>   fi
>   return 0
> }
> 
> This takes care of lighttpd... but the deploy script could be expanded to handle SIP-TLS or other places that you want to use the same certificate.
> 
> Now request a certificate...
> 
> /etc/acme.sh/acme.sh --home /etc/acme.sh --issue -d yourdomain.tld -w /home/ftp/www -d pbx.youdomain.tld -d sip.yourdomain.tld
> 
> You can add multiple domains with -d flag (all must be valid public URLs that can be validated as owned by you).
> This assumes that HTTPDIR is /home/ftp/www (ideally we should wrap this in a script that gets it from $HTTPDIR)  and that port 80 is open... validating domains by DNS is for another day... this method gets me started.
> 
> Now deploy the certificate...
> 
> /etc/acme.sh/acme.sh --home /etc/acme.sh --deploy -d yourdomain.tld --deploy-hook astlinux
> 
> Which runs the above astlinux.sh file we placed in /etc/acme.sh/deploy directory.  Note that the script does a stop / init on lighttpd because a restart would not be good enough (because the ca chain file might not exist when init is first run)
> 
> Now whenever the certificate is renewed, the certificates are updated and the deploy script is run automatically.  This would be triggered by the cron job.
> 
> If you start to play with this, be sure to add --test to all acme.sh commands during your testing.... to point it at a test server.  LetsEncrypt limits the number of times you can request/renew a certificate each week which you could easily hit during testing.  When ready to use a real certificate, --revoke the test ones and then --issue from non-test server.
> 
> David
> 
> On Wed, Jan 11, 2017 at 1:19 PM, Lonnie Abelbeck <li...@lo...> wrote:
> Hi David,
> 
> #2 solved, a good feature to have for completeness.  Specify in user.conf.
> 
> https://sourceforge.net/p/astlinux/code/8089
> 
> Lonnie
> 
> 
> On Jan 10, 2017, at 10:40 PM, David Kerr <Da...@Ke...> wrote:
> 
> > Tonights discoveries on this topic...
> >
> >       • Lighttpd loads certificates at startup only, so service will need to be stopped and started again each time the certificates are renewed (60 days).
> >       • LetsEncrypt is issuing chained certificates, the intermediate certificates may not be included in browsers.  You therefore have to add the chain to the web server.  So lighttpd.conf needs a ssl.ca-file set in addition to ssl.pemfile.
> >       • LetsEncrypt issues the cert and key as two separate files.  The pem file that lighttpd needs has to be created each time the certs renew.
> >       • the DNS registrar that I use (freeDNS) does not have an API to update TXT records.  Admin there suggests using POST to the subdomain web site... in other words need to create my own API !
> > Nothing is ever easy, Huh?
> >
> > For #1 and #3... I will need to create a script to create the pem file and restart lighttpd. Should be easy enough.
> > For #2... to maintain autogenerated lighttpd.conf file, need support for chain CA files added to the web interface (or recognize a variable we can set in user.conf, e.g. HTTPSCHAIN=/mnt/kd/ssl/mydomain.tld/fullchain.cer) and update /etc/init.d/lighttpd init() function to recognize it.
> > For #4... more thinking to be done.
> >
> > David