OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • Using acme.sh
« previous next »
  • Print
Pages: [1]

Author Topic: Using acme.sh  (Read 7983 times)

Martinezio

  • Newbie
  • *
  • Posts: 44
  • Karma: 3
    • View Profile
Using acme.sh
« on: February 03, 2017, 01:00:36 am »
Dears,

I've just moved my installation to 17.1 (went smooth and easy, thx) to have this acme.sh script and to request Let's Encrypt cert for ssl.

But how to configure this script and how to use it? I've created some config, but I don't know if it is valid. Logs are saying, that issuing new cert was successful, but I do not see this cert nowhere...

Little help? ;) Thx in advance.

Best regards,

Martin.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13671
  • Karma: 1175
    • View Profile
Re: Using acme.sh
« Reply #1 on: February 03, 2017, 01:00:42 pm »
Here's the quick-start guide that the author provided: https://github.com/opnsense/plugins/pull/66


Cheers,
Franco
Logged

lrosenman

  • Full Member
  • ***
  • Posts: 189
  • Karma: 7
    • View Profile
Re: Using acme.sh
« Reply #2 on: February 05, 2017, 06:09:40 am »
There are issues with DNS-01/nsupdate :(

I left a comment.  If anyone wants to help see my comment on the above link.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13671
  • Karma: 1175
    • View Profile
Re: Using acme.sh
« Reply #3 on: February 06, 2017, 05:45:56 am »
Fixes are coming in now, thanks for the report(s). :)
Logged

Martinezio

  • Newbie
  • *
  • Posts: 44
  • Karma: 3
    • View Profile
Re: Using acme.sh
« Reply #4 on: February 06, 2017, 02:06:22 pm »
Ok, so I found a "bug" too... Name of the certificate cannot contain "-" sign (ie. something-strange.domain.com).
Saddly, I do have - in the name. Can You please make something with this? :)

Thanks in advance.

Bests...

Martin.
Logged

bartjsmit

  • Hero Member
  • *****
  • Posts: 1538
  • Karma: 166
    • View Profile
Re: Using acme.sh
« Reply #5 on: February 06, 2017, 06:54:20 pm »
Hi Martin, check out StartCom https://www.startssl.com/ They do free certificates with good browser support as well.

Bart... 
Logged

Martinezio

  • Newbie
  • *
  • Posts: 44
  • Karma: 3
    • View Profile
Re: Using acme.sh
« Reply #6 on: February 07, 2017, 09:07:08 pm »
No, they don't ;)

Google and Mozilla Authorities revoked their CA certificate due to conflict with one of the investors owned StartSSL. StartSSL is trying to solve this asap, but it takes them at least half year in my opinion to create new CA.

So I'll wait for fix in acme implementation better :)

Best regards,

Martin.
Logged

bartjsmit

  • Hero Member
  • *****
  • Posts: 1538
  • Karma: 166
    • View Profile
Re: Using acme.sh
« Reply #7 on: February 08, 2017, 10:07:42 am »
Hi Martin,

Which versions of Firefox and Chrome are you seeing this on? Both the StartSSL website and certificates signed by the StartCom CA are showing fully trusted in my browsers.

Bart...
Logged

Martinezio

  • Newbie
  • *
  • Posts: 44
  • Karma: 3
    • View Profile
Re: Using acme.sh
« Reply #8 on: February 09, 2017, 10:52:46 am »
I'm using Firefox 51.0

Here You have a statement from Mozilla Authority:
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/

Here is info from Apple Authority:
https://support.apple.com/en-us/HT204132

Google also supports this decision in Chrome browser:
http://www.csoonline.com/article/3137181/security/google-to-untrust-wosign-and-startcom-certificates.html

Regards :)
« Last Edit: February 09, 2017, 10:56:57 am by Martinezio »
Logged

bartjsmit

  • Hero Member
  • *****
  • Posts: 1538
  • Karma: 166
    • View Profile
Re: Using acme.sh
« Reply #9 on: February 09, 2017, 01:44:36 pm »
Hi Martin,

Good catch, thanks for that. I'll start testing to migrate off StartCom certs.

Bart...
Logged

bringha

  • Full Member
  • ***
  • Posts: 227
  • Karma: 19
    • View Profile
Re: Using acme.sh
« Reply #10 on: February 09, 2017, 08:08:04 pm »
Hello,

IMHO if your certificate is from BEFORE October last year then you don't have any issue. If e.g. your certificate is from last year and valid for two years then they can still be used in all browsers. The revocation of Mozilla, Apple and Google has been made for one year giving startssl the option to solve their problems.

Br br
Logged

fraenki

  • Full Member
  • ***
  • Posts: 171
  • Karma: 28
    • View Profile
    • GitHub
Re: Using acme.sh
« Reply #11 on: February 09, 2017, 10:11:16 pm »
Quote from: Martinezio on February 06, 2017, 02:06:22 pm
Ok, so I found a "bug" too...

OPNsense 17.1.1 has been released today and contains version 1.1 of our Let's Encrypt plugin. All known bugs have been fixed. Feedback is very welcome :)


Regards
- Frank
Logged

Martinezio

  • Newbie
  • *
  • Posts: 44
  • Karma: 3
    • View Profile
Re: Using acme.sh
« Reply #12 on: February 14, 2017, 11:29:53 am »
Working like a charm :D Thanks a lot!
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • Using acme.sh
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2