I would just like to say thank you for bringing browser and email internet security to the world for free. Thank you also to the sponsors that make this possible, and for all of us who use it.
It’s brilliant.
Thank you.
4 Likes
A million times this. I don’t think it’s said and heard enough.
We web developers are truly grateful for Let’s Encrypt!
1 Like
It’s really exciting stuff isn’t it? Encrypted SSL/TLS connections for nothing, for little or no effort, and at no cost. It’s like giving everybody in the world a little bit of space to call their own.
1 Like
little to no effort? not for my setup. manual setup for 14 SANs isnt funny.
Ouch that does sound painful.
It could be worth you checking out ansible ( https://www.ansible.com/get-started ) to automate that kind of thing. It’s open source too. Yeah!
You’d add all 14 SANs to an inventory list, then run one command using a ‘playbook’ file which has your letsencrypt goodies in it.
If you can SSH into a box using SSH Keys then you can manage a box with ansible. Apparently.
well in short it’s my windows PC with multiple webroots.
so if there would be a client that could handle webroots with multiple domains (or allow DNS “walking up” for DNS Challenges ( just have 3 root domains, so I could do that myself) it would be great.
Why don’t you do something like this on your webserver for each virtual host
Alias /.well-known/acme-challenge /path/to/letsencrypt/.well-known/acme-challenge
and use /path/to/letsencrypt/ as webroot ?
yeah, intresting Idea, already in thought BUT!
there is iirc no LE client for windows yet that doesnt need IIS to work.
for a lot of vhosts this gets annyoing, especially since you have to complete the challenges multiple times, and new vhosts -> new aliases.
while with a one-time set in the DNS which specifies my public key as authorised for all my root domains (3) I would immediately have no ptoblems getting all below it via walk-up.
Not on windows, I actually only have one Alias in my global apache config. My config is as follow :
root@grenade:/# cat /etc/apache2/conf-enabled/letsenrypt.conf
Alias /.well-known/acme-challenge /home/www-data/vhost/letsencrypt/.well-known/acme-challenge
ProxyPass /.well-known/acme-challenge !
<Directory /home/www-data/vhost/letsencrypt/.well-known/acme-challenge>
require all granted
</Directory>
Indeed, even if I successfully install the letsencrypt client on windows (a windows 7 vm), It fails by using the function geteuid on the os modules only available on unix systems. cf https://community.letsencrypt.org/t/python-virtualenv-on-windows-10-attributeerror-geteuid
C:\>pip install virtualenv
Collecting virtualenv
Downloading virtualenv-14.0.6-py2.py3-none-any.whl (1.8MB)
100% |################################| 1.8MB 217kB/s
Installing collected packages: virtualenv
Successfully installed virtualenv-14.0.6
You are using pip version 7.1.2, however version 8.0.2 is available.
You should consider upgrading via the 'python -m pip install --upgrade pip' comm
and.
C:\>virtualenv letsencrypt
New python executable in C:\letsencrypt\Scripts\python.exe
Installing setuptools, pip, wheel...done.
C:\>cd letsencrypt
C:\letsencrypt>cd Scripts
C:\letsencrypt\Scripts>activate.bat
(letsencrypt) C:\letsencrypt\Scripts>pip install letsencrypt
Collecting letsencrypt
Downloading letsencrypt-0.4.0-py2-none-any.whl (197kB)
100% |################################| 200kB 660kB/s
Collecting zope.interface (from letsencrypt)
Downloading zope.interface-4.1.3.tar.gz (141kB)
100% |################################| 143kB 1.3MB/s
Requirement already satisfied (use --upgrade to upgrade): setuptools in c:\letse
ncrypt\lib\site-packages (from letsencrypt)
Collecting python2-pythondialog>=3.2.2rc1 (from letsencrypt)
Downloading python2-pythondialog-3.3.0.tar.bz2 (1.8MB)
100% |################################| 1.8MB 217kB/s
Collecting PyOpenSSL (from letsencrypt)
Downloading pyOpenSSL-0.15.1-py2.py3-none-any.whl (102kB)
100% |################################| 106kB 1.3MB/s
Collecting cryptography>=0.7 (from letsencrypt)
Downloading cryptography-1.2.2-cp27-none-win_amd64.whl (1.3MB)
100% |################################| 1.3MB 260kB/s
Collecting ConfigArgParse>=0.9.3 (from letsencrypt)
Downloading ConfigArgParse-0.10.0.tar.gz
Collecting parsedatetime (from letsencrypt)
Downloading parsedatetime-1.5-py2-none-any.whl (50kB)
100% |################################| 53kB 890kB/s
Collecting configobj (from letsencrypt)
Downloading configobj-5.0.6.tar.gz
Collecting pytz (from letsencrypt)
Downloading pytz-2015.7-py2.py3-none-any.whl (476kB)
100% |################################| 479kB 525kB/s
Collecting psutil>=2.1.0 (from letsencrypt)
Downloading psutil-4.0.0-cp27-cp27m-win_amd64.whl (156kB)
100% |################################| 159kB 871kB/s
Collecting six (from letsencrypt)
Downloading six-1.10.0-py2.py3-none-any.whl
Collecting acme==0.4.0 (from letsencrypt)
Downloading acme-0.4.0-py2.py3-none-any.whl (95kB)
100% |################################| 98kB 871kB/s
Collecting zope.component (from letsencrypt)
Downloading zope.component-4.2.2.tar.gz (546kB)
100% |################################| 548kB 660kB/s
Collecting mock (from letsencrypt)
Downloading mock-1.3.0-py2.py3-none-any.whl (56kB)
100% |################################| 57kB 871kB/s
Collecting pyrfc3339 (from letsencrypt)
Downloading pyRFC3339-1.0-py2.py3-none-any.whl
Collecting enum34 (from cryptography>=0.7->letsencrypt)
Downloading enum34-1.1.2.tar.gz (46kB)
100% |################################| 49kB 1.3MB/s
Collecting ipaddress (from cryptography>=0.7->letsencrypt)
Downloading ipaddress-1.0.16-py27-none-any.whl
Collecting pyasn1>=0.1.8 (from cryptography>=0.7->letsencrypt)
Downloading pyasn1-0.1.9-py2.py3-none-any.whl
Collecting idna>=2.0 (from cryptography>=0.7->letsencrypt)
Downloading idna-2.0-py2.py3-none-any.whl (61kB)
100% |################################| 61kB 1.3MB/s
Collecting cffi>=1.4.1 (from cryptography>=0.7->letsencrypt)
Downloading cffi-1.5.2-cp27-none-win_amd64.whl (150kB)
100% |################################| 151kB 871kB/s
Collecting requests (from acme==0.4.0->letsencrypt)
Downloading requests-2.9.1-py2.py3-none-any.whl (501kB)
100% |################################| 503kB 525kB/s
Collecting ndg-httpsclient (from acme==0.4.0->letsencrypt)
Downloading ndg_httpsclient-0.4.0.tar.gz
Collecting werkzeug (from acme==0.4.0->letsencrypt)
Downloading Werkzeug-0.11.4-py2.py3-none-any.whl (305kB)
100% |################################| 307kB 1.3MB/s
Collecting zope.event (from zope.component->letsencrypt)
Downloading zope.event-4.2.0-py2-none-any.whl
Collecting funcsigs (from mock->letsencrypt)
Downloading funcsigs-0.4-py2.py3-none-any.whl
Collecting pbr>=0.11 (from mock->letsencrypt)
Downloading pbr-1.8.1-py2.py3-none-any.whl (89kB)
100% |################################| 90kB 1.3MB/s
Collecting pycparser (from cffi>=1.4.1->cryptography>=0.7->letsencrypt)
Downloading pycparser-2.14.tar.gz (223kB)
100% |################################| 225kB 871kB/s
Building wheels for collected packages: zope.interface, python2-pythondialog, Co
nfigArgParse, configobj, zope.component, enum34, ndg-httpsclient, pycparser
Running setup.py bdist_wheel for zope.interface ... done
Stored in directory: C:\Users\Valentin\AppData\Local\pip\Cache\wheels\c9\15\5b
\3a7e3c7c3b67b5ee002c0ebe8ac1f46ec3c0379c5037c6ab71
Running setup.py bdist_wheel for python2-pythondialog ... done
Stored in directory: C:\Users\Valentin\AppData\Local\pip\Cache\wheels\f0\5f\b6
\531cf000ffa0221f1c1dd4e95004248e664b90e673e5be8741
Running setup.py bdist_wheel for ConfigArgParse ... done
Stored in directory: C:\Users\Valentin\AppData\Local\pip\Cache\wheels\c0\ce\1b
\bb8d37531096afe7a604aab11423df765c232b6d8d2ebaa2de
Running setup.py bdist_wheel for configobj ... done
Stored in directory: C:\Users\Valentin\AppData\Local\pip\Cache\wheels\d0\18\3a
\88a9e8e07940560496c247872870978bf9b6cd5d914c0eac3e
Running setup.py bdist_wheel for zope.component ... done
Stored in directory: C:\Users\Valentin\AppData\Local\pip\Cache\wheels\64\b9\9d
\df8cb192e4b1cb5691fa67c56a841500ac562bd99337d6ef5a
Running setup.py bdist_wheel for enum34 ... done
Stored in directory: C:\Users\Valentin\AppData\Local\pip\Cache\wheels\1a\4e\a5
\bc564dd03d9abe991425c88d88aa8c5c99ad9a733551b69b4e
Running setup.py bdist_wheel for ndg-httpsclient ... done
Stored in directory: C:\Users\Valentin\AppData\Local\pip\Cache\wheels\30\85\40
\a29750f9287fe119a10708580a73cfb16f51e5f9a820430a2d
Running setup.py bdist_wheel for pycparser ... done
Stored in directory: C:\Users\Valentin\AppData\Local\pip\Cache\wheels\c7\28\31
\bac6d0b118c0bdcbf57f9219afdf2e624379c07efa6c769dbc
Successfully built zope.interface python2-pythondialog ConfigArgParse configobj
zope.component enum34 ndg-httpsclient pycparser
Installing collected packages: zope.interface, python2-pythondialog, six, enum34
, ipaddress, pyasn1, idna, pycparser, cffi, cryptography, PyOpenSSL, ConfigArgPa
rse, parsedatetime, configobj, pytz, psutil, requests, ndg-httpsclient, werkzeug
, funcsigs, pbr, mock, pyrfc3339, acme, zope.event, zope.component, letsencrypt
Successfully installed ConfigArgParse-0.10.0 PyOpenSSL-0.15.1 acme-0.4.0 cffi-1.
5.2 configobj-5.0.6 cryptography-1.2.2 enum34-1.1.2 funcsigs-0.4 idna-2.0 ipaddr
ess-1.0.16 letsencrypt-0.4.0 mock-1.3.0 ndg-httpsclient-0.4.0 parsedatetime-1.5
pbr-1.8.1 psutil-4.0.0 pyasn1-0.1.9 pycparser-2.14 pyrfc3339-1.0 python2-pythond
ialog-3.3.0 pytz-2015.7 requests-2.9.1 six-1.10.0 werkzeug-0.11.4 zope.component
-4.2.2 zope.event-4.2.0 zope.interface-4.1.3
(letsencrypt) C:\letsencrypt\Scripts>letsencrypt.exe --help
letsencrypt [SUBCOMMAND] [options] [-d domain] [-d domain] ...
The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates. By
default, it will attempt to use a webserver both for obtaining and installing
the cert. Major SUBCOMMANDS are:
(default) run Obtain & install a cert in your current webserver
certonly Obtain cert, but do not install it (aka "auth")
install Install a previously obtained cert in a server
renew Renew previously obtained certs that are near expiry
revoke Revoke a previously obtained certificate
rollback Rollback server configuration changes made during install
config_changes Show changes made to server config during installation
plugins Display information about installed plugins
Choice of server plugins for obtaining and installing cert:
(the apache plugin is not installed)
--standalone Run a standalone webserver for authentication
(nginx support is experimental, buggy, and not installed by default)
--webroot Place files in a server's webroot folder for authentication
OR use different plugins to obtain (authenticate) the cert and then install it:
--authenticator standalone --installer apache
More detailed help:
-h, --help [topic] print this message, or detailed help on a topic;
the available topics are:
all, automation, paths, security, testing, or any of the subcommands or
plugins (certonly, install, nginx, apache, standalone, webroot, etc)
(letsencrypt) C:\letsencrypt\Scripts>even a global alias doesnt actually help since I still have to use manual mode on my raspi and copy all the annoying stuff over.
You could also directly proxy /.well-known/acme-challenge to your rpi.
ProxyPass /.well-known/acme-challenge http://addresse.of.the.rpi/.well-known/acme-challengewell the pi doesnt even run a webserver or anything I just used it as tool for trying LE.
It should work with the standalone plugin when issuing certs and raise an error 500 the rest of the time.
But hey, it seems more and more to me you WANT to do it manually.
1 Like
nothing says thank you as a beer/coffee to the makers : https://letsencrypt.org/become-a-sponsor/