
Let’s encrypt automation on Debian - nereid666
http://eblog.damia.net/2015/12/03/lets-encrypt-automation-on-debian/
======
diafygi
FYI, if you don't want to install all the dependencies of the official
letsencrypt client, I made a <200 line python script that automates issuing
and renewing certificates. Love the Let's Encrypt project, but really don't
want to install all those dependencies on my server just to get a free cert.

[https://github.com/diafygi/acme-tiny](https://github.com/diafygi/acme-tiny)

~~~
joshmoz
Head of Let's Encrypt here. I don't love the number of dependencies for our
client either, we're going to work to reduce them.

~~~
diafygi
No worries! Every time I see a Let's Encrypt thread on HN, there's always
complaining about having to trust the official client with root access,
webserver configs, dependencies, or whatever. So I made my clients
(letsencrypt-nosudo, gethttpsforfree.com, acme-tiny) to shut those people up.
My clients are not intended to serve the wider Let's Encrypt target audience,
who probably don't know what a CSR is. But for those who do, I made clients
that don't ask for the access/trust that the official client needs to serve
its target audience.

Thanks for making Let's Encrypt and ACME!

~~~
jannic
And thanks for writing acme-tiny!

It was really easy to setup automatic renewals, running as an ordinary user.
sudo access for reloading apache is the only privileged operation necessary.
Great job!

------
schoen
Most people shouldn't need both cert.pem and fullchain.pem, because
fullchain.pem is "full" because it also contains a copy of cert.pem (unlike
chain.pem, which doesn't). (I chose these names for the structure of Let's
Encrypt's certificate storage.)

------
azdle
For anyone that wants to do this w/ nginx, you can add this location
configuration to any "server" block for the challenge portion:

    
    
            location /.well-known/acme-challenge/ {
    		alias		/var/www/acme-webroot/.well-known/acme-challenge/;
    	}
    

Then use this this tool from mozilla to get a configuration for installing the
cert: [https://mozilla.github.io/server-side-tls/ssl-config-
generat...](https://mozilla.github.io/server-side-tls/ssl-config-
generator/?server=nginx-1.9.5)

------
IshKebab
I really hope letsencrypt doesn't delay the real solution - DANE.

~~~
_yy
It's not a good solution.

[https://www.imperialviolet.org/2015/01/17/notdane.html](https://www.imperialviolet.org/2015/01/17/notdane.html)

~~~
IshKebab
The TL;DR of that is:

1\. DNSSEC uses a lot of 1024-bit RSA signatures (those are relatively weak)
2\. You can't monitor the certificates that CA's issue because anyone issue
their own certificates.

The first issue seems valid, but fixable. The second is a weird thing to
complain about because it is the entire point of DANE!

~~~
nickik
Fixable but very unlikely to be fixed anytime sone. Plus the tons of technical
issues that make it even more of a problem to use and maintain. To make it
viable it would probably have to start over.

I'm not holding my breath.

------
StavrosK
Isn't Let's Encrypt supposed to launch the open beta today? Let's hope it
actually happens...

~~~
metachris
You can sign up for the private beta and get access pretty quickly:
[https://docs.google.com/a/allaboutapps.at/forms/d/15Ucm4A20y...](https://docs.google.com/a/allaboutapps.at/forms/d/15Ucm4A20y2rf9gySCTXD6yoLG6Tba7AwYgglV7CKHmM/viewform?edit_requested=true)

~~~
StavrosK
I signed up for a few domains early on and they were enabled, I signed up for
two more two days ago but haven't heard back yet.

~~~
r0muald
Perhaps because the private beta was closed two days ago:
[https://community.letsencrypt.org/t/beta-program-
announcemen...](https://community.letsencrypt.org/t/beta-program-
announcements/1631/8)

------
ausjke
This might be a dumb question, after I auto-generate all those ssl certs, how
am I going to certify it at some CA? so that all browser will not pop up a
warning page when the ssl-site is accessed? What's the key difference between
letsencrypt and self-signed ssl certificate?

~~~
diafygi
The certificates that Let's Encrypt issues are cross-signed by IdenTrust (a
real CA) so browsers should trust the certificate you get from Let's Encrypt.
NOTE: just like with other TLS certs, you will need to include the Let's
Encrypt intermediate certificate in your webserver config so that it can be
chained back to IdenTrust.

EDIT: IdenTrust, not Entrust, sorry!

~~~
joshmoz
Let's Encrypt is cross-signed by IdenTrust, not Entrust.

