Author Topic: Using acme.sh (Read 2368 times)

Martinezio · « **on:** February 03, 2017, 01:00:36 am »

Dears,

I've just moved my installation to 17.1 (went smooth and easy, thx) to have this acme.sh script and to request Let's Encrypt cert for ssl.

But how to configure this script and how to use it? I've created some config, but I don't know if it is valid. Logs are saying, that issuing new cert was successful, but I do not see this cert nowhere...

Little help?

Thx in advance.

Best regards,

Martin.

franco · « **Reply #1 on:** February 03, 2017, 01:00:42 pm »

Here's the quick-start guide that the author provided: https://github.com/opnsense/plugins/pull/66

Cheers,
Franco

lrosenman · « **Reply #2 on:** February 05, 2017, 06:09:40 am »

There are issues with DNS-01/nsupdate

I left a comment. If anyone wants to help see my comment on the above link.

franco · « **Reply #3 on:** February 06, 2017, 05:45:56 am »

Fixes are coming in now, thanks for the report(s).

Martinezio · « **Reply #4 on:** February 06, 2017, 02:06:22 pm »

Ok, so I found a "bug" too... Name of the certificate cannot contain "-" sign (ie. something-strange.domain.com).
Saddly, I do have - in the name. Can You please make something with this?

Thanks in advance.

Bests...

Martin.

bartjsmit · « **Reply #5 on:** February 06, 2017, 06:54:20 pm »

Hi Martin, check out StartCom https://www.startssl.com/ They do free certificates with good browser support as well.

Bart...

Martinezio · « **Reply #6 on:** February 07, 2017, 09:07:08 pm »

No, they don't

Google and Mozilla Authorities revoked their CA certificate due to conflict with one of the investors owned StartSSL. StartSSL is trying to solve this asap, but it takes them at least half year in my opinion to create new CA.

So I'll wait for fix in acme implementation better

Best regards,

Martin.

bartjsmit · « **Reply #7 on:** February 08, 2017, 10:07:42 am »

Hi Martin,

Which versions of Firefox and Chrome are you seeing this on? Both the StartSSL website and certificates signed by the StartCom CA are showing fully trusted in my browsers.

Bart...

Martinezio · « **Reply #8 on:** February 09, 2017, 10:52:46 am »

I'm using Firefox 51.0

Here You have a statement from Mozilla Authority:
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/

Here is info from Apple Authority:
https://support.apple.com/en-us/HT204132

Google also supports this decision in Chrome browser:
http://www.csoonline.com/article/3137181/security/google-to-untrust-wosign-and-startcom-certificates.html

Regards

bartjsmit · « **Reply #9 on:** February 09, 2017, 01:44:36 pm »

Hi Martin,

Good catch, thanks for that. I'll start testing to migrate off StartCom certs.

Bart...

bringha · « **Reply #10 on:** February 09, 2017, 08:08:04 pm »

Hello,

IMHO if your certificate is from BEFORE October last year then you don't have any issue. If e.g. your certificate is from last year and valid for two years then they can still be used in all browsers. The revocation of Mozilla, Apple and Google has been made for one year giving startssl the option to solve their problems.

Br br

fraenki · « **Reply #11 on:** February 09, 2017, 10:11:16 pm »

Quote from: Martinezio on February 06, 2017, 02:06:22 pm

Ok, so I found a "bug" too...

OPNsense 17.1.1 has been released today and contains version 1.1 of our Let's Encrypt plugin. All known bugs have been fixed. Feedback is very welcome

Regards
- Frank

Martinezio · « **Reply #12 on:** February 14, 2017, 11:29:53 am »

Working like a charm

Thanks a lot!

Author Topic: Using acme.sh (Read 2368 times)

Martinezio

Using acme.sh

franco

Re: Using acme.sh

lrosenman

Re: Using acme.sh

franco

Re: Using acme.sh

Martinezio

Re: Using acme.sh

bartjsmit

Re: Using acme.sh

Martinezio

Re: Using acme.sh

bartjsmit

Re: Using acme.sh

Martinezio

Re: Using acme.sh

bartjsmit

Re: Using acme.sh

bringha

Re: Using acme.sh

fraenki

Re: Using acme.sh

Martinezio

Re: Using acme.sh