Help needed to run certbot in busybox

I see from the changelog of certbot “support for busybox”

How do you actually run certbot on busybox? I have certbot updating my Letsencrypt certificates on Centos just fine but it was installed via yum. I’m now trying to have this running on my linux based open source router which has Busybox built in. Busybos doesn’t have phyton so ideally I would need a script based on /bin/sh ?

On github there are so many certbot files available, what do I actually need for Busybox?
Can anybody please provide some help on the steps necessary?

Thanks

Try https://certbot.eff.org/lets-encrypt/pip-other

How much RAM/storage does your Linux router have? If it’s not much, it might be better to use a more lightweight client.

For lightweight options, https://github.com/Neilpang/acme.sh is a shell-based one, but it does still require curl/wget and openssl to be available.

Well I'm actually developing this to integrate with tomato which supports devices from 4MB to 256MB of RAM.
Storage is usually in RAM or USB/JFFS/CIFS

I have downloaded the certbot-auto and running it I get this error:

root@tomato:/tmp# ./certbot-auto
./certbot-auto: line 209: id: not found
test: bad number
Sorry, I don't know how to bootstrap Certbot on your operating system!

You will need to install OS dependencies, configure virtualenv, and run pip install manually.
Please see Contributing — letsencrypt latest documentation
for more info.
root@tomato20n:/tmp# ./certbot-auto certonly --standalone
./certbot-auto: line 209: id: not found
test: bad number
Sorry, I don't know how to bootstrap Certbot on your operating system!

You will need to install OS dependencies, configure virtualenv, and run pip install manually.
Please see Contributing — letsencrypt latest documentation
for more info.

I did look into acme.sh briefly (and tried different parameters) but it seems like it's not working out of the box, asI always get messages like this:

root@tomato:/tmp# ./acne.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: curl - SSL CA Certificates

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

Certbot is definitely not suitable in such a constrained environment - I'd forget about it for sure.

It sounds like your environment is missing a CA trust store, so curl can't securely talk to the Let's Encrypt API server.

One way to remedy this is to set the CURL_CA_BUNDLE environment variable. The file itself you can get from curl - Extract CA Certs from Mozilla .

Finally ..

I would also suggest looking at GitHub - ndilieto/uacme: ACMEv2 client written in plain C with minimal dependencies . It was posted here a while ago, and one of its explicit aims is use cases like yours. But acme.sh should be fine too.

The fact certbot now "supports" busybox, doesn't mean it only requires busybox! In fact, it requires quite a few dependencies.

The support for busybox was also limited to the certbot-auto-script, not the certbot Python program itself: Busybox support (#3797) · certbot/certbot@184d673 · GitHub

Rather offtopic, because this isn't going to help you at all, but it's rather strange the certbot-auto script fails on the id command, as BusyBox should include an id function. My NAS running BusyBox 1.19.4 does anyway:

~ # ls -l /bin/id 
lrwxrwxrwx    1 root     root             7 Nov  8  2018 /bin/id -> busybox
~ # 

That was exactly the reason I developed uacme. Unlike shell/python based solutions, uacme ONLY requires libcurl and one of GnuTLS, OpenSSL or mbedTLS. The latter is particularly well suited to embedded devices.

uacme is now available in

• OpenWRT: https://github.com/openwrt/packages/tree/master/net/uacme
• Buildroot: https://git.buildroot.org/buildroot/tree/package/uacme
• Debian: Debian -- Details of package uacme in bullseye
• Ubuntu: uacme package : Ubuntu
• ArchLinux: AUR (en) - uacme

One of the OpenWRT developers has made a very interesting size comparison between acme.sh and uacme:

you can't easily fit acme.sh and use it in a 8MB flash router if it's not included in the squashfs partition
the dependencies for acme are

114K ca-bundle_20190110-1_all.ipk
48K curl_7.65.0-1_x86_64.ipk
127K libcurl4_7.65.0-1_x86_64.ipk
1.5M libopenssl1.1_1.1.1c-1_x86_64.ipk
181K libmbedtls12_2.16.1-1_x86_64.ipk
4.8K libopenssl-conf_1.1.1c-1_x86_64.ipk
259K openssl-util_1.1.1c-1_x86_64.ipk

and uacme

114K ca-bundle_20190110-1_all.ipk
127K libcurl4_7.65.0-1_x86_64.ipk
181K libmbedtls12_2.16.1-1_x86_64.ipk

and ~25K for the uacme itself

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.