From owner-freebsd-questions@freebsd.org Sat Apr 1 04:51:32 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C5664D28BD1 for ; Sat, 1 Apr 2017 04:51:32 +0000 (UTC) (envelope-from odhiambo@gmail.com) Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7EF36E7E for ; Sat, 1 Apr 2017 04:51:32 +0000 (UTC) (envelope-from odhiambo@gmail.com) Received: by mail-qk0-x232.google.com with SMTP id g195so9838371qke.2 for ; Fri, 31 Mar 2017 21:51:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=9NbqOGYZ44+kiCzRIeC4udbZoyT4TrDRQclrMPnbq7k=; b=hp6ZjG7VOYprmAji90LOfJs4xpDL/i24V7EvPfFW/YRqLaDfv9N30gQXzMcdVZhChf qrfx0c8MdeQMHtqdutGAkwRybm7Vs5abjma8UXZceCtbojOMn9lUj+CryA3/P+HM/5SB IZRYHC/z6+ip56Sguxv7ua2702SbGLoAnfEW/jXvk0bDXArMps3HbadTULwF4/OgHErU hVm+1SYJFK3cX2fhuvo2U3hOVnuHjio5md0cd9s0+0kMZEIOO/Jf28MhJbROjZtY6RZV Zy3E1/rb6shOZfJBd8WO81YJO5oqYYz9oDRq3NBgdzCDYU6Q5kyOhsf3uOvFRYtaXH4i YHEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=9NbqOGYZ44+kiCzRIeC4udbZoyT4TrDRQclrMPnbq7k=; b=s5ht7tW0rZmLajlXBiZ61yV/x5NTvSMyHmU/2UZF2uO0lIeP00GyjyLCrPU9tNshKz K+i3RsIoiFPu0yrRRyMhhuEW2CSpH/TM5uU3k66TaYzzTdhbH1rdNBsC+NsSahqvGZoj ZogEOvb0zM7pmMQTjm4mH0d6UvAPPf5vmPMI3+l3WAulLMtdDY5KgMlYQZe5iBDVhEM0 1aC0pk4VbknasNaZ7b+g9PuSIiYcAV5LFsxf2di6l4fkDFf+AsfLrevzS9fFgJ4un6Nq d91b+2IcpOxsSOsIbAztsq1Ltilll2hO/yCwBRj/akTlABovPZV+L4gOwgYcnLtSpBgV S1kw== X-Gm-Message-State: AFeK/H1Kh/oAVsIx6kMRhBCybtzufW/OCwyBml52BCKt62pcdsZJMiE+uGM2iv7sZpQ0zmbRJv3cb8T91Db+XQ== X-Received: by 10.55.87.198 with SMTP id l189mr5671087qkb.304.1491022291288; Fri, 31 Mar 2017 21:51:31 -0700 (PDT) MIME-Version: 1.0 Received: by 10.55.74.23 with HTTP; Fri, 31 Mar 2017 21:50:50 -0700 (PDT) In-Reply-To: <30904.128.135.52.6.1490993453.squirrel@cosmo.uchicago.edu> References: <77a1e8683e3a15cd08986d66807959b2@drenet.net> <30dbdfbaabd9637b9ea95c855497240e@drenet.net> <30904.128.135.52.6.1490993453.squirrel@cosmo.uchicago.edu> From: Odhiambo Washington Date: Sat, 1 Apr 2017 07:50:50 +0300 Message-ID: Subject: Re: letsencrypt configuration To: User Questions Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Apr 2017 04:51:32 -0000 On 31 March 2017 at 23:50, Valeri Galtsev wrote= : > > On Fri, March 31, 2017 3:08 pm, Andre Goree wrote: > > On 2017/03/31 3:40 pm, Andre Goree wrote: > >> So how is everyone going about configuring letsencrypt on FreeBSD? It > >> would seem that multiple ports that used to exist for this very > >> purpose are no longer in the repos (letskencrypt, py-letsencrypt), so > >> tutorials I'm finding (and even letskencrypt, which is still in the > >> FreeBDS wiki) aren't much help. > >> > >> Thanks in advance. > >> > > I actually found this immediately after I posted, all can disregard thi= s > > post: https://brnrd.eu/security/2016-12-30/acme-client.html > > > > > There was thread not long ago where I described in detail how I installed > it. Look for that if nothing else helps. The only thing I would add to > that thread is: you have to reload apache (as if you are restarting it) t= o > load updated certificate, which you can do in the cron job you set for > updating certs; add --post-hook like below: > > /usr/local/bin/certbot renew --quiet --post-hook > "/usr/local/sbin/apachectl graceful" > > Thanks. > Valeri > Probably the easiest method I ever found was using le-utils by Vladimir Botka. Quoting Vladimir Botka: Port security/py-certbot (letsencrypt.org client) works fine for me. FYI, Automatic Certificate Management Environment (ACME) is IETF project https://github.com/ietf-wg-acme/acme/ FWIW, you might want to try my scripts and automate the renewal via cron https://github.com/vbotka/le-utils. Available also as an Ansible role https://galaxy.ansible.com/vbotka/leutils/. There are also other letsencrypt clients https://github.com/certbot/certbot/wiki/Links#other-lets-enc rypt--acme-clients ++ find below the example how I run it from cron [1]. You can install and configure it manually, or you can use Ansible role https://galaxy.ansible.com/vbotka/leutils/. For more info just download the scripts from github https://github.com/vbotka/le-utils and type "lectl" [2] (similar for leinfo). Sorry, the documentation is best effort. For more details you might want to go through the source. HTH. Cheers, -vlado [1] # crontab -l MAILTO=3D"root" #Ansible: dry-run renewal of certificates 20 2 * * * /root/bin/lectl -s -n -c -a #Ansible: check expiry of certificates 15 2 * * * /root/bin/leinfo -e --Days=3D30 -a #Ansible: renewal of certificates 20 3 * * * /root/bin/lectl -D=3D30 -c -a [2] # lectl lectl [-V|--version] [-h|--help] [-s|--silent] [-d|--debug] [-l|--list] [-r|--raw] [-p|--permissions] [-e|--expire] [-D=3DNoOfDays|--Days=3DNoOfDays] [-c|--renew] [-n|--dryrun] [-a|--all|] -- Letsencrypt certificates management where: -V --version ....... print version end exit -h --help .......... show this help and exit -l --list .......... list domains and exit -r --raw ........... print raw output of openssl x509 command -p --permissions ... set permissions (Note 5) -e --expire ........ show number of days till certificate expires -D --Days=3DNoOfDays . with -e list certificates that will expire in period of NoOfDays -s --silent ........ print errors only; with -e only report number of days to expire -d --debug ......... print debug output -c --renew ......... renew cerficates (Note 2,3) -n --dryrun ........ with -c dry run only -a --all ........... check all domains ............... check domain (Note 1) Examples: Print information about all certificates. # lectl -a Print raw output of openssl x509 command for example.com # lectl -r example.com List all certificates that will expire in less then 30 days. # lectl -e --Days=3D30 -a Dry run renewal of all certificates (run daily in cron for feedback). # lectl -n -c -a Renew all certificates if any of them expires in less then 30 days (renewal of single certificate is not available). (Note 4) # lectl -D=3D30 -c -a Set permissions of private keys to # lectl -p Notes: 1) Renewal of single ceritificate # /usr/local/bin/letsencrypt(certbot) renew --dry-run -d example.com Currently, the renew verb is only capable of renewing all installed certificates that are due to be renewed; individual domains cannot be specified with this action. If you would like to renew specific certificates, use the certonly command. The renew verb may provide other options for selecting certificates to renew in the future. 2) Rate Limits for Let=E2=80=99s Encrypt https://community.letsencrypt.org/t/rate-limits-for-lets-encrypt * limited to 20 certificates per domain per week * limited to 5 certificates per FQDN set per week * the number of registrations you can make in a given time period; currently 500 per 3 hours 3) Lifetime of the certificate (Pros and cons of 90-day certificate lifetimes) https://community.letsencrypt.org/t/pros-and-cons-of-90-day- certificate-lifetimes The Technical Advisory Board chose * 90-day certificate lifetime to start with * with an expectation that people will want to auto-renew at the 60-day mark. 4) Certobot will not renew a certificate more then 30 days before expiration. Message: Cert not yet due for renewal. 5) Set permissions of all private keys to 0600 and set permissions of: accounts keys live in /usr/local/etc/letsencrypt to 0700 . --=20 Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft."