just a question:
Is the Client compatible with the Raspberri Pi (in my case Model B)
I want to setup let’s encrypt and I only have windows for now and so I want my Raspi to run LE in manual mode, so I can get my certs this way.
BUT
a problem is that a lot of Software is made for x86 CPUs but raspi has an ARM CPU, and this essentially leads to the Issue Windows RT had, it could not run any normal software because that was made for x86 but winRT was for ARM.
so my question: is the LE client compatible with the Raspberry PI or rather, ARM as a whole architecture?
I’ve tested the client on a PI and it works up to the point of authorization. I don’t know about beyond that point but I don’t see why not.
For info, the failure is down to the test server only supporting IPv4 and all of my PI’s are only directly accessible via IPv6 which is a known issue in another thread here.
If your Pi is lucky enough to have a static public IPv4 then it should work.
well I dont have a static IPv4 I have a dynamic one (but the refresh time is rather long) and I only need manual mode since the pi is not my webserver.
so essentially I tell my Pi: make me an LE cert and the PI tells me what I have to do (set a DNS record here, take up this at some webpage, etc)
I do those challenges on my own then I tell my Pi I am finished LW verifies and should give me the cert.
anything wrong with that?
That should work, as long as your host name, eg pi.example.com points to the current dynamic one at the time of authorization it should work.
The issue here is that the server needs to contact the pi via http. Once it’s done that then it doesn’t need to do that again (presumably until the cert is renewed).
why is the direct contact over HTTP needed in manual mode. I thought manual mode is that you do all the stuff yourself and LE Client just does its stuff over acme, like when my webserver is somewhere else, for example on a server without SSH and stuff
I think that the sign something part is dont on the Pi and the webroot challenge for example is something I do myself on the webserver (a bit of FTP and that’s it)
what I think: the client gets a challenge from the LE server.
the LE client instructs me what to do (put 42 on example.com/0815) I do that on the webserver.
I tell the LE client that I did that.
The LE client checks example.com/0815 for the value 42 and if that’s done it’s verified and the Pi gets told that. I dont see any point where the pi needs access as actual webserver.
but the webserver doesnt have to be the pi does it? I mean LE checks whether the challenge is on the pi or some other server as long as it’s on the domain
It needs to run as root, even in manual mode as it creates config under /etc/letsencrypt even in manual mode. I’m not certain if there’s a command line parameter to allow that to be elsewhere.
A bit off topic, but come 16 November, will the client be aware of the OS it's running on, or will I have to manually edit the script?
I'm just wondering as I'm on FreeBSD 10.2 and I need the client to create its config under /usr/local/etc/letsencrypt (I haven't played with the client yet so I'm not sure how aware it is).
Correct, the traffic just must be routed to the device where the file is saved. Basically that can be done if the webserver and the Pi have the same IP. (behind a NAT)
The general answer about Raspberry Pi compatibility is easy:
The client is written in Python. So everywhere where Python can be executed you can run the client and therefore get a certificate. Of course that’s possible on a Raspberry Pi.
The only things I can image which could prevent this are some incompatibilities to other software (webserver), which would prevent the automated installation and in some cases renewal of the certificates. However that’s very unlikely if you speak about the hardware you choose (Raspberry Pi), because you can install almost all important Linux software on all Linux devices, so what matters much more is the software you use.
do the webserver and the pi really need the same IP?
imagine this:
I have some hosting where I dont have SSH but wanna have LE so I try to use my Pi (which is at a completely different IP) so it should go like this (manual mode in theory)
Pi contacts LE server and requests and account for example.com
LE Server tells Pi the challenge (in this case webrrot)
Pi shows the user the challenge
User puts challenge on server
User tells Pi to tell LE that the challenge has been completed and can be verified
LE goes at example.com/challenge-url to check the challenge
LE tells the Pi whether it was successful or not.
I dont see any reason why the Pi and the LE client have to be in the same network or even need the same public IP
I dont really wanna take a site down for a while (DNS TTLs can be awfully long when you dont want it) just to make a cert and it doesnt really make sense to do so.
also I said often enough manual mode since the Pi is just the means for the purpose (like having a server without SSH or a windows webserver)
so with python it is more or less like with PHP or javascript, so as long as I have a proper interpreter the architecture doesnt matter? that’s nice.
At first it of course depends on the verification mode and there are a few different currently.
The second thing is: No it does not really have to be the same IP. I just told it because it was the easiest solution/use case I could see.
Generally (when using a non-DNS-based verification method) you just have to get the traffic from the LE server to your Raspi which you want to verify. So It's all about this step:
How you do this is your thing. BGB routing can be manipulated quite easily, but... eh.. no that's more an attackers scenario.
Other things you could do include temporarily changing the DNS record or just using another challenge method like DNS-based verification.
how ofte am I writing that I am talking about the manual mode?
but why?
cant I just push the challenge I got from the raspi to the server and LE gets the challenge from that server so I dont have to take my website offline?
