Let's Encyrpt on an IoT device

Hello, We are running Linux on a small powered IoT device. We cannot include all the prerequsites for the certbot scripts. Is there a document that is made that can tell us, from an unsupported Linux environment how to interact with the Let’s Encrypt service ?
Thanks

https://tools.ietf.org/html/rfc8555 describes the entire ACME protocol if you want to program your own integration.

Certbot is only one of many client options - https://letsencrypt.org/docs/client-options/ . A sample of options more suitable for IoT devices:

4 Likes

and one thing that needed to be addressed: can they generate good random numbers with enough entropy? without that your clients may end up with weak certificate that can be broken.

3 Likes

Since certificates are signed by Let’s Encrypt (and not the client) the bad random problem for RSA is only relevant in the private key generation. As long as the private key is generated out of reliable randomness, there should be no problem because RSA signatures are deterministic.

Remember that EC signatures are not deterministic and therefore critically dependent on the random source: see https://en.wikipedia.org/wiki/Dual_EC_DRBG

Therefore on a IOT device I would recommend sticking to RSA and in addition generating the keys on a separate computer with a proper random number generator. This is easily supported by uacme with the -n switch: https://ndilieto.github.io/uacme

3 Likes

Would it be possibe to use ACME token as seed for PRNG? or it would be too short? at best we still need account key, though.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.