Are there plans to support Let's Encrypt in the Certificate Manager, once they start signing certificates?
You speak of automatically using their service to sign SSL certificates?
yes, some implementation of this: https://letsencrypt.org/howitworks/
We do have a python wrapper in FreeBSD now, py-letsencrypt, but I am a bit staggered by its complexity, although Python fits our backend service philosophy nicely. I can see this as a plugin, given that we handle backend service plugin support a bit better, I think there's a ticket here...
https://github.com/opnsense/core/issues/329
And this... :)
https://github.com/opnsense/plugins/issues/6
Any help on this front is greatly appreciated.
Great, unfortunately my python skills leave room for improvement, but I'll certainly keep an eye on this.
I have been using a bash script called letsencrypt.sh on my linux boxes and wrote a small plugin for them to generate the config files. The letsencrypt.sh script is a lot easier and more transportable than the full fat official clients.
https://github.com/lukas2511/letsencrypt.sh
It probably wouldn't take much to use that (and believe it is BSD compatible). You just need to write a simple plain text config file and domains.txt file and add a cronjob for renewals.
You have to be able to http resolve a .well-known/acme-challenge directory for a given domain.
B. Rgds
John
There's another thread here: https://forum.opnsense.org/index.php?topic=2319
bash requirement for letsencrypt.sh is a bit controversial in BSD land, some of it Shellshock, the other bit just political nonsense. Not sure what to do here...
acme-tiny seems to be nice enough and can be installed from the command line
# pkg install acme-tiny
Docs can be found below.
https://github.com/diafygi/acme-tiny
We have no ETA for a plugin integration, short on contributor interest in the topic.
Cheers,
Franco