Certbot Apache Plugin - GnuTLS instead of OpenSSL

Hanry · May 30, 2017, 2:08pm

Hello,

I am trying to use Letsencrypt to secure one of my dev servers. I don’t need to worry about a userbase and their odd browsers etc. as only five people will have access, all of whom I work with. Therefore I have limited
/etc/apache2/mods-available/ssl.conf to only allow TLSv1.2, with strong ciphers.

Apache2 on Ubuntu 16.04 comes with GnuTLS as default - and I would like to use it. But when I run “sudo certbot” it enables mod_ssl.
I have looked around the documentation to see a switch to make it use GnuTLS instead, but no luck.
As always there are three options:

I am ‘blind’ and it is there and I have just missed it
I am not fully understanding the relationship between components, in this case mod_ssl and mod_gnutls
what I am looking for is not there (i.e. Letsencrypt only works with mod_ssl)

Which one is it?

Please fill out the fields below so we can help you better.

My domain is: n/a

I ran this command: sudo certbot

It produced this output: “… Enabled Apache SSL module …”

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu Server 16.04LTS

My hosting provider, if applicable, is: bigV.io

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): command line only

ahaw021 · May 30, 2017, 3:24pm

what I am looking for is not there (i.e. Letsencrypt only works with mod_ssl)

GNUTLS and OpenSSL are both cryptographic libraries.

Apache Interacts with OpenSSL via the mod_ssl plugin (http://httpd.apache.org/docs/current/mod/mod_ssl.html)

Apache can Interact with the GNUTLS library via the mod_gnutls plugin https://mod.gnutls.org/

I am pretty certain that certbot only uses the mod_ssl library however… there are no reasons (I can think of) that there shouldn’t be support for the mod_gnutls plugin.

The configurations are also different http://www.bauer-power.net/2012/11/how-to-upgrade-from-ssl-to-gnutls-for.html#.WS2OJPmGPIU

Andrei

ahaw021 · May 30, 2017, 3:28pm

I can see there are some tests for mod_gnutls - https://github.com/certbot/certbot/search?utf8=✓&q=mod_gnutls&type=

as well as that I can only see mod_ssl in the install packages: https://github.com/certbot/certbot/search?l=Shell&q=mod_ssl&type=&utf8=✓

Andrei

Hanry · May 30, 2017, 3:31pm

Thank you Andrei!

So, if I understand you correctly,

a) at this time Letsencrypt uses mod_ssl only
b) what I am looking for (mod_gnutls support) may be possible, only no one has asked for it?

If that is the case, I am quite happy to log a feature request for it when I find where that is done

Follow-up question (and this shows how little I had played with all of this until yesterday):
If I go through the certbot routine, get a certificate installed and it works - is there anything stopping me from then pointing my gnutls-enabled virtual host config at that cert, and disable mod_ssl again? Or will that not work?

Thanks again!
Hanry

ahaw021 · May 30, 2017, 3:35pm

hi @Hanry

Just open a new post and change the type from help to feature request.

I would use the webroot plugin instead. https://certbot.eff.org/docs/using.html#webroot

I think there is a connection between mod_ssl and the apache syntax that goes beyond the certificate request.

You will then be able to use the mod_gnutls syntax (as documented above) to get the certificates in the /etc/live folder

Andrei

Hanry · May 30, 2017, 3:42pm

Brilliant, thank you very much for your quick and helpful answers!

I won’t mark the post as solved yet, but I will if I can get that to work

Thanks,
Hanry

schoen · May 30, 2017, 5:38pm

That should work just fine. This is what certbot certonly can do. However, if you use --apache it will also be using mod_ssl for the temporary virtualhost (that you never see) created during the authorization process. If you want to use Certbot and don't want mod_ssl to ever be used, right now you ought to use certbot certonly --webroot.

In agreement with @ahaw021, nobody has asked for this before. The installer that attempts to modify your Apache configuration file (if you use the default form, also known as certbot run, with --apache) is hard-coded to use mod_ssl directives because that's what almost all Apache users have and expect to use at the moment.

system · June 29, 2017, 5:39pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.