Using acme.sh

Started by Martinezio, February 03, 2017, 01:00:36 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 03, 2017, 01:00:36 AM
Dears,

I've just moved my installation to 17.1 (went smooth and easy, thx) to have this acme.sh script and to request Let's Encrypt cert for ssl.

But how to configure this script and how to use it? I've created some config, but I don't know if it is valid. Logs are saying, that issuing new cert was successful, but I do not see this cert nowhere...

Little help? ;) Thx in advance.

Best regards,

Martin.
February 03, 2017, 01:00:42 PM #1
Here's the quick-start guide that the author provided: https://github.com/opnsense/plugins/pull/66


Cheers,
Franco
February 05, 2017, 06:09:40 AM #2
There are issues with DNS-01/nsupdate :(

I left a comment.  If anyone wants to help see my comment on the above link.
February 06, 2017, 05:45:56 AM #3
Fixes are coming in now, thanks for the report(s). :)
February 06, 2017, 02:06:22 PM #4
Ok, so I found a "bug" too... Name of the certificate cannot contain "-" sign (ie. something-strange.domain.com).
Saddly, I do have - in the name. Can You please make something with this? :)

Thanks in advance.

Bests...

Martin.
February 06, 2017, 06:54:20 PM #5
Hi Martin, check out StartCom https://www.startssl.com/ They do free certificates with good browser support as well.

Bart... 
February 07, 2017, 09:07:08 PM #6
No, they don't ;)

Google and Mozilla Authorities revoked their CA certificate due to conflict with one of the investors owned StartSSL. StartSSL is trying to solve this asap, but it takes them at least half year in my opinion to create new CA.

So I'll wait for fix in acme implementation better :)

Best regards,

Martin.
February 08, 2017, 10:07:42 AM #7
Hi Martin,

Which versions of Firefox and Chrome are you seeing this on? Both the StartSSL website and certificates signed by the StartCom CA are showing fully trusted in my browsers.

Bart...
February 09, 2017, 10:52:46 AM #8 Last Edit: February 09, 2017, 10:56:57 AM by Martinezio
I'm using Firefox 51.0

Here You have a statement from Mozilla Authority:
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/

Here is info from Apple Authority:
https://support.apple.com/en-us/HT204132

Google also supports this decision in Chrome browser:
http://www.csoonline.com/article/3137181/security/google-to-untrust-wosign-and-startcom-certificates.html

Regards :)
February 09, 2017, 01:44:36 PM #9
Hi Martin,

Good catch, thanks for that. I'll start testing to migrate off StartCom certs.

Bart...
February 09, 2017, 08:08:04 PM #10
Hello,

IMHO if your certificate is from BEFORE October last year then you don't have any issue. If e.g. your certificate is from last year and valid for two years then they can still be used in all browsers. The revocation of Mozilla, Apple and Google has been made for one year giving startssl the option to solve their problems.

Br br
February 09, 2017, 10:11:16 PM #11
Quote from: Martinezio on February 06, 2017, 02:06:22 PM
Ok, so I found a "bug" too...

OPNsense 17.1.1 has been released today and contains version 1.1 of our Let's Encrypt plugin. All known bugs have been fixed. Feedback is very welcome :)


Regards
- Frank
February 14, 2017, 11:29:53 AM #12
Working like a charm :D Thanks a lot!
Print
Go Up Pages1
User actions