Thank you Let's Encrypt


#1

I would just like to say thank you for bringing browser and email internet security to the world for free. Thank you also to the sponsors that make this possible, and for all of us who use it.

It’s brilliant.

Thank you.


#2

A million times this. I don’t think it’s said and heard enough.

We web developers are truly grateful for Let’s Encrypt!


#3

It’s really exciting stuff isn’t it? Encrypted SSL/TLS connections for nothing, for little or no effort, and at no cost. It’s like giving everybody in the world a little bit of space to call their own.


#4

little to no effort? not for my setup. manual setup for 14 SANs isnt funny.


#5

Ouch that does sound painful.

It could be worth you checking out ansible ( https://www.ansible.com/get-started ) to automate that kind of thing. It’s open source too. Yeah!

You’d add all 14 SANs to an inventory list, then run one command using a ‘playbook’ file which has your letsencrypt goodies in it.

If you can SSH into a box using SSH Keys then you can manage a box with ansible. Apparently.


#6

well in short it’s my windows PC with multiple webroots.
so if there would be a client that could handle webroots with multiple domains (or allow DNS “walking up” for DNS Challenges ( just have 3 root domains, so I could do that myself) it would be great.


#7

Why don’t you do something like this on your webserver for each virtual host
Alias /.well-known/acme-challenge /path/to/letsencrypt/.well-known/acme-challenge
and use /path/to/letsencrypt/ as webroot ?


#8

yeah, intresting Idea, already in thought BUT!

there is iirc no LE client for windows yet that doesnt need IIS to work.
for a lot of vhosts this gets annyoing, especially since you have to complete the challenges multiple times, and new vhosts -> new aliases.
while with a one-time set in the DNS which specifies my public key as authorised for all my root domains (3) I would immediately have no ptoblems getting all below it via walk-up.


#9

Not on windows, I actually only have one Alias in my global apache config. My config is as follow :

root@grenade:/# cat /etc/apache2/conf-enabled/letsenrypt.conf 
Alias /.well-known/acme-challenge /home/www-data/vhost/letsencrypt/.well-known/acme-challenge
ProxyPass /.well-known/acme-challenge !
<Directory /home/www-data/vhost/letsencrypt/.well-known/acme-challenge>
    require all granted
</Directory>

Indeed, even if I successfully install the letsencrypt client on windows (a windows 7 vm), It fails by using the function geteuid on the os modules only available on unix systems. cf https://community.letsencrypt.org/t/python-virtualenv-on-windows-10-attributeerror-geteuid

C:\>pip install virtualenv 
Collecting virtualenv 
  Downloading virtualenv-14.0.6-py2.py3-none-any.whl (1.8MB) 
    100% |################################| 1.8MB 217kB/s 
Installing collected packages: virtualenv 
Successfully installed virtualenv-14.0.6 
You are using pip version 7.1.2, however version 8.0.2 is available. 
You should consider upgrading via the 'python -m pip install --upgrade pip' comm 
and. 
 
C:\>virtualenv letsencrypt 
New python executable in C:\letsencrypt\Scripts\python.exe 
Installing setuptools, pip, wheel...done. 
 
C:\>cd letsencrypt 
 
C:\letsencrypt>cd Scripts 
 
C:\letsencrypt\Scripts>activate.bat 
 
(letsencrypt) C:\letsencrypt\Scripts>pip install letsencrypt 
Collecting letsencrypt 
  Downloading letsencrypt-0.4.0-py2-none-any.whl (197kB) 
    100% |################################| 200kB 660kB/s 
Collecting zope.interface (from letsencrypt) 
  Downloading zope.interface-4.1.3.tar.gz (141kB) 
    100% |################################| 143kB 1.3MB/s 
Requirement already satisfied (use --upgrade to upgrade): setuptools in c:\letse 
ncrypt\lib\site-packages (from letsencrypt) 
Collecting python2-pythondialog>=3.2.2rc1 (from letsencrypt) 
  Downloading python2-pythondialog-3.3.0.tar.bz2 (1.8MB) 
    100% |################################| 1.8MB 217kB/s 
Collecting PyOpenSSL (from letsencrypt) 
  Downloading pyOpenSSL-0.15.1-py2.py3-none-any.whl (102kB) 
    100% |################################| 106kB 1.3MB/s 
Collecting cryptography>=0.7 (from letsencrypt) 
  Downloading cryptography-1.2.2-cp27-none-win_amd64.whl (1.3MB) 
    100% |################################| 1.3MB 260kB/s 
Collecting ConfigArgParse>=0.9.3 (from letsencrypt) 
  Downloading ConfigArgParse-0.10.0.tar.gz 
Collecting parsedatetime (from letsencrypt) 
  Downloading parsedatetime-1.5-py2-none-any.whl (50kB) 
    100% |################################| 53kB 890kB/s 
Collecting configobj (from letsencrypt) 
  Downloading configobj-5.0.6.tar.gz 
Collecting pytz (from letsencrypt) 
  Downloading pytz-2015.7-py2.py3-none-any.whl (476kB) 
    100% |################################| 479kB 525kB/s 
Collecting psutil>=2.1.0 (from letsencrypt) 
  Downloading psutil-4.0.0-cp27-cp27m-win_amd64.whl (156kB) 
    100% |################################| 159kB 871kB/s 
Collecting six (from letsencrypt) 
  Downloading six-1.10.0-py2.py3-none-any.whl 
Collecting acme==0.4.0 (from letsencrypt) 
  Downloading acme-0.4.0-py2.py3-none-any.whl (95kB) 
    100% |################################| 98kB 871kB/s 
Collecting zope.component (from letsencrypt) 
  Downloading zope.component-4.2.2.tar.gz (546kB) 
    100% |################################| 548kB 660kB/s 
Collecting mock (from letsencrypt) 
  Downloading mock-1.3.0-py2.py3-none-any.whl (56kB) 
    100% |################################| 57kB 871kB/s 
Collecting pyrfc3339 (from letsencrypt) 
  Downloading pyRFC3339-1.0-py2.py3-none-any.whl 
Collecting enum34 (from cryptography>=0.7->letsencrypt) 
  Downloading enum34-1.1.2.tar.gz (46kB) 
    100% |################################| 49kB 1.3MB/s 
Collecting ipaddress (from cryptography>=0.7->letsencrypt) 
  Downloading ipaddress-1.0.16-py27-none-any.whl 
Collecting pyasn1>=0.1.8 (from cryptography>=0.7->letsencrypt) 
  Downloading pyasn1-0.1.9-py2.py3-none-any.whl 
Collecting idna>=2.0 (from cryptography>=0.7->letsencrypt) 
  Downloading idna-2.0-py2.py3-none-any.whl (61kB) 
    100% |################################| 61kB 1.3MB/s 
Collecting cffi>=1.4.1 (from cryptography>=0.7->letsencrypt) 
  Downloading cffi-1.5.2-cp27-none-win_amd64.whl (150kB) 
    100% |################################| 151kB 871kB/s 
Collecting requests (from acme==0.4.0->letsencrypt) 
  Downloading requests-2.9.1-py2.py3-none-any.whl (501kB) 
    100% |################################| 503kB 525kB/s 
Collecting ndg-httpsclient (from acme==0.4.0->letsencrypt) 
  Downloading ndg_httpsclient-0.4.0.tar.gz 
Collecting werkzeug (from acme==0.4.0->letsencrypt) 
  Downloading Werkzeug-0.11.4-py2.py3-none-any.whl (305kB) 
    100% |################################| 307kB 1.3MB/s 
Collecting zope.event (from zope.component->letsencrypt) 
  Downloading zope.event-4.2.0-py2-none-any.whl 
Collecting funcsigs (from mock->letsencrypt) 
  Downloading funcsigs-0.4-py2.py3-none-any.whl 
Collecting pbr>=0.11 (from mock->letsencrypt) 
  Downloading pbr-1.8.1-py2.py3-none-any.whl (89kB) 
    100% |################################| 90kB 1.3MB/s 
Collecting pycparser (from cffi>=1.4.1->cryptography>=0.7->letsencrypt) 
  Downloading pycparser-2.14.tar.gz (223kB) 
    100% |################################| 225kB 871kB/s 
Building wheels for collected packages: zope.interface, python2-pythondialog, Co 
nfigArgParse, configobj, zope.component, enum34, ndg-httpsclient, pycparser 
  Running setup.py bdist_wheel for zope.interface ... done 
  Stored in directory: C:\Users\Valentin\AppData\Local\pip\Cache\wheels\c9\15\5b 
\3a7e3c7c3b67b5ee002c0ebe8ac1f46ec3c0379c5037c6ab71 
  Running setup.py bdist_wheel for python2-pythondialog ... done 
  Stored in directory: C:\Users\Valentin\AppData\Local\pip\Cache\wheels\f0\5f\b6 
\531cf000ffa0221f1c1dd4e95004248e664b90e673e5be8741 
  Running setup.py bdist_wheel for ConfigArgParse ... done 
  Stored in directory: C:\Users\Valentin\AppData\Local\pip\Cache\wheels\c0\ce\1b 
\bb8d37531096afe7a604aab11423df765c232b6d8d2ebaa2de 
  Running setup.py bdist_wheel for configobj ... done 
  Stored in directory: C:\Users\Valentin\AppData\Local\pip\Cache\wheels\d0\18\3a 
\88a9e8e07940560496c247872870978bf9b6cd5d914c0eac3e 
  Running setup.py bdist_wheel for zope.component ... done 
  Stored in directory: C:\Users\Valentin\AppData\Local\pip\Cache\wheels\64\b9\9d 
\df8cb192e4b1cb5691fa67c56a841500ac562bd99337d6ef5a 
  Running setup.py bdist_wheel for enum34 ... done 
  Stored in directory: C:\Users\Valentin\AppData\Local\pip\Cache\wheels\1a\4e\a5 
\bc564dd03d9abe991425c88d88aa8c5c99ad9a733551b69b4e 
  Running setup.py bdist_wheel for ndg-httpsclient ... done 
  Stored in directory: C:\Users\Valentin\AppData\Local\pip\Cache\wheels\30\85\40 
\a29750f9287fe119a10708580a73cfb16f51e5f9a820430a2d 
  Running setup.py bdist_wheel for pycparser ... done 
  Stored in directory: C:\Users\Valentin\AppData\Local\pip\Cache\wheels\c7\28\31 
\bac6d0b118c0bdcbf57f9219afdf2e624379c07efa6c769dbc 
Successfully built zope.interface python2-pythondialog ConfigArgParse configobj 
zope.component enum34 ndg-httpsclient pycparser 
Installing collected packages: zope.interface, python2-pythondialog, six, enum34 
, ipaddress, pyasn1, idna, pycparser, cffi, cryptography, PyOpenSSL, ConfigArgPa 
rse, parsedatetime, configobj, pytz, psutil, requests, ndg-httpsclient, werkzeug 
, funcsigs, pbr, mock, pyrfc3339, acme, zope.event, zope.component, letsencrypt 
Successfully installed ConfigArgParse-0.10.0 PyOpenSSL-0.15.1 acme-0.4.0 cffi-1. 
5.2 configobj-5.0.6 cryptography-1.2.2 enum34-1.1.2 funcsigs-0.4 idna-2.0 ipaddr 
ess-1.0.16 letsencrypt-0.4.0 mock-1.3.0 ndg-httpsclient-0.4.0 parsedatetime-1.5 
pbr-1.8.1 psutil-4.0.0 pyasn1-0.1.9 pycparser-2.14 pyrfc3339-1.0 python2-pythond 
ialog-3.3.0 pytz-2015.7 requests-2.9.1 six-1.10.0 werkzeug-0.11.4 zope.component 
-4.2.2 zope.event-4.2.0 zope.interface-4.1.3 
 
 
(letsencrypt) C:\letsencrypt\Scripts>letsencrypt.exe --help 
 
  letsencrypt [SUBCOMMAND] [options] [-d domain] [-d domain] ... 
 
The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates.  By 
default, it will attempt to use a webserver both for obtaining and installing 
the cert. Major SUBCOMMANDS are: 
 
  (default) run        Obtain & install a cert in your current webserver 
  certonly             Obtain cert, but do not install it (aka "auth") 
  install              Install a previously obtained cert in a server 
  renew                Renew previously obtained certs that are near expiry 
  revoke               Revoke a previously obtained certificate 
  rollback             Rollback server configuration changes made during install 
 
  config_changes       Show changes made to server config during installation 
  plugins              Display information about installed plugins 
 
Choice of server plugins for obtaining and installing cert: 
 
  (the apache plugin is not installed) 
  --standalone      Run a standalone webserver for authentication 
  (nginx support is experimental, buggy, and not installed by default) 
  --webroot         Place files in a server's webroot folder for authentication 
 
OR use different plugins to obtain (authenticate) the cert and then install it: 
 
  --authenticator standalone --installer apache 
 
More detailed help: 
 
  -h, --help [topic]    print this message, or detailed help on a topic; 
                        the available topics are: 
 
   all, automation, paths, security, testing, or any of the subcommands or 
   plugins (certonly, install, nginx, apache, standalone, webroot, etc) 
 
 
(letsencrypt) C:\letsencrypt\Scripts>

#10

even a global alias doesnt actually help since I still have to use manual mode on my raspi and copy all the annoying stuff over.


#11

You could also directly proxy /.well-known/acme-challenge to your rpi.

ProxyPass /.well-known/acme-challenge http://addresse.of.the.rpi/.well-known/acme-challenge

#12

well the pi doesnt even run a webserver or anything I just used it as tool for trying LE.


#13

It should work with the standalone plugin when issuing certs and raise an error 500 the rest of the time.
But hey, it seems more and more to me you WANT to do it manually.


#16

nothing says thank you as a beer/coffee to the makers : https://letsencrypt.org/become-a-sponsor/