OPNsense Forum
English Forums => Development and Code Review => Topic started by: Oebele Drijfhout on October 21, 2015, 09:32:38 pm
-
Are there plans to support Let's Encrypt in the Certificate Manager, once they start signing certificates?
-
You speak of automatically using their service to sign SSL certificates?
-
yes, some implementation of this: https://letsencrypt.org/howitworks/
-
We do have a python wrapper in FreeBSD now, py-letsencrypt, but I am a bit staggered by its complexity, although Python fits our backend service philosophy nicely. I can see this as a plugin, given that we handle backend service plugin support a bit better, I think there's a ticket here...
https://github.com/opnsense/core/issues/329
And this... :)
https://github.com/opnsense/plugins/issues/6
Any help on this front is greatly appreciated.
-
Great, unfortunately my python skills leave room for improvement, but I'll certainly keep an eye on this.
-
I have been using a bash script called letsencrypt.sh on my linux boxes and wrote a small plugin for them to generate the config files. The letsencrypt.sh script is a lot easier and more transportable than the full fat official clients.
https://github.com/lukas2511/letsencrypt.sh
It probably wouldn't take much to use that (and believe it is BSD compatible). You just need to write a simple plain text config file and domains.txt file and add a cronjob for renewals.
You have to be able to http resolve a .well-known/acme-challenge directory for a given domain.
B. Rgds
John
-
There's another thread here: https://forum.opnsense.org/index.php?topic=2319
bash requirement for letsencrypt.sh is a bit controversial in BSD land, some of it Shellshock, the other bit just political nonsense. Not sure what to do here...
acme-tiny seems to be nice enough and can be installed from the command line
# pkg install acme-tiny
Docs can be found below.
https://github.com/diafygi/acme-tiny
We have no ETA for a plugin integration, short on contributor interest in the topic.
Cheers,
Franco