Setting up and using letsencrypt without a Web server

I don't run, and don't want to run, a Web server: I want to use letsencrypt to provide certificates (including a SAN) for an HTTPS server I've written in Python3 that provides specialized services. The server works fine with a commercial certificate (but without a SAN, which is a nuisance), but I'd rather go with letsencrypt. Is there a way to do this, and if so, where can I find out all the details? I'm technically knowledgeable and experienced in general, but not deeply familiar with Web protocols. My current server runs on Ubuntu Linux 20.04.3, but I want to run it on an OpenBSD 6.4 system. TIA for any help.

There are multiple challenges possible to prove ownership of hostnames, please see the Let's Encrypt documentation about the challenge types:

Notice that some challenges require the serving of a token over HTTP. If you don't run a webserver and don't want to, often ACME clients can spin up a temporary webserver to serve just the token. The ACME client certbot can do this using its "standalone" plugin, which is just an implementation of the build in HTTP listener in Python.

Other ACME clients might have similar or other methods or you could use the DNS challenge.

3 Likes

Support for OpenBSD 6.4 ended in October of 2019 (almost two years ago).
Is there a reason that hasn't been updated?
[I only bring that up because I'm paranoid about security - LOL]

In any case, you should be able to use certbot to obtain and renew the cert (with SAN entry) you need.
See installation instructions: Certbot - Opbsd6 Other (eff.org)

Support for OpenBSD 6.4 ended in October of 2019 (almost two years ago).
Is there a reason that hasn't been updated?
[I only bring that up because I'm paranoid about security - LOL]

My practice on OS upgrades is always to install on a clean disk and then
copy over user files. However, this system is a RAID blade server on which
this procedure is impractical, so I'm planning not to upgrade as long as the
hardware lasts. The server doesn't do much -- it holds a lot of file
archives, is a very low-traffic MTA, and (if I can get letsencrypt working)
will serve as a home task organizer for 3 people -- and while I'm reasonably
security-conscious, given the combination of low traffic, limited services
(ssh, smtp, imap, and the single-function https server) and OpenBSD's good
security record, I'm not too concerned. In fact, the only reason I want to
upgrade my home gateway, which runs OpenBSD 5.5, is that its sendmail
installation crashes on certain bad messages and its DNS server doesn't
implement some newer protocol and therefore has a lot of transitory
failures.

Are you expert with OpenBSD? I struggled literally for months trying to get
smtpd configured to replace sendmail on my gateway, and finally gave up.
Exhaustion from that struggle is the only thing keeping me from upgrading
the gateway, and I could happily go for the most recent OpenBSD release.

In any case, you should be able to use certbot to obtain and renew the cert
(with SAN entry) you need.
See installation instructions: Certbot - Opbsd6 Other (eff.org)

My impression was that certbot requires a fully functional Web server
listening on port 80, which is one of the things I really want to avoid.
Did I misunderstand?

Thanks -

aeadmin

1 Like

I wrote:

My practice on OS upgrades is always to install on a clean disk and then
copy over user files. However, this system is a RAID blade server on
which this procedure is impractical, so I'm planning not to upgrade as
long as thehardware lasts.

Of course I could copy the user files to an external drive, do a clean
install, and copy them back, but for the reasons I gave, I'm not highly
motivated to go to the trouble.

aeadmin

https://www.cvedetails.com/cve/CVE-2020-7247/

smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.

1 Like

Yes, I think you may have misunderstood.
There are different authentication methods.
HTTP authentication does require an HTTP response, but you don't have to have a fulltime web server installed to do so. certbot can spin-up a temporary web server only to complete the HTTP challenge request (and then it shuts down).
So, yes, it does require a "fully functional web server" - but only for a very brief moment (and only for challenge request responses).

I'm confused about you saying that "don't want to run a Web server" but at the same time have an "HTTPS server I've written". I think what you're looking to do (at least if you're looking for another programming task) is to integrate the acquisition of a certificate into your custom web server you've written. As certbot is written in python, you should be able to use the underlying acme library that it uses yourself to request a certificate that you can use, handling the HTTP-01 challenge within your custom server.

1 Like

I'm confused about you saying that "don't want to run a Web server" but at
the same time have an "HTTPS server I've written".

The server uses HTTPS to provide a specialized service that is not Web
browsing or, in fact, related to the Web in any way; but a Web browser is a
great front-end platform, since I get to use HTML, CSS, and JavaScript for
the user interface. I can see why this might be confusing.

I think what you're looking to do (at least if you're looking for another
programming task) is to integrate the acquisition of a certificate into
your custom web server you've written.

Substituting "HTTPS" for "web," that's exactly right, and another modest
programming task doesn't faze me. Thanks for giving me the pointer to where
to look for what I need to integrate.

aeadmin

1 Like

Hi, to avoid using a web server for challenge validation use DNS validation instead (updating TXT record in your domain DNS).

You can do this with certbot (and the requried plugins) or using acme.sh, GitHub - srvrco/getssl: obtain free SSL certificates from letsencrypt ACME server Suitable for automating the process on remote servers. etc.

You then take the issued certificate (in the form of a public certificate chain, and private key file) and configure your service to use it. Job done.

1 Like

If you're effectively building your own client (even though using an existing ACME library), you probably want to read through the integration guide, and ensure you do your testing against the staging environment.

2 Likes