OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: Martinezio on February 03, 2017, 01:00:36 am

Title: Using acme.sh
Post by: Martinezio on February 03, 2017, 01:00:36 am

Dears,

I've just moved my installation to 17.1 (went smooth and easy, thx) to have this acme.sh script and to request Let's Encrypt cert for ssl.

But how to configure this script and how to use it? I've created some config, but I don't know if it is valid. Logs are saying, that issuing new cert was successful, but I do not see this cert nowhere...

Little help? ;) Thx in advance.

Best regards,

Martin.

Title: Re: Using acme.sh
Post by: franco on February 03, 2017, 01:00:42 pm

Here's the quick-start guide that the author provided: https://github.com/opnsense/plugins/pull/66


Cheers,
Franco

Title: Re: Using acme.sh
Post by: lrosenman on February 05, 2017, 06:09:40 am

There are issues with DNS-01/nsupdate :(

I left a comment.  If anyone wants to help see my comment on the above link.

Title: Re: Using acme.sh
Post by: franco on February 06, 2017, 05:45:56 am

Fixes are coming in now, thanks for the report(s). :)

Title: Re: Using acme.sh
Post by: Martinezio on February 06, 2017, 02:06:22 pm

Ok, so I found a "bug" too... Name of the certificate cannot contain "-" sign (ie. something-strange.domain.com).
Saddly, I do have - in the name. Can You please make something with this? :)

Thanks in advance.

Bests...

Martin.

Title: Re: Using acme.sh
Post by: bartjsmit on February 06, 2017, 06:54:20 pm

Hi Martin, check out StartCom https://www.startssl.com/ They do free certificates with good browser support as well.

Bart... 

Title: Re: Using acme.sh
Post by: Martinezio on February 07, 2017, 09:07:08 pm

No, they don't ;)

Google and Mozilla Authorities revoked their CA certificate due to conflict with one of the investors owned StartSSL. StartSSL is trying to solve this asap, but it takes them at least half year in my opinion to create new CA.

So I'll wait for fix in acme implementation better :)

Best regards,

Martin.

Title: Re: Using acme.sh
Post by: bartjsmit on February 08, 2017, 10:07:42 am

Hi Martin,

Which versions of Firefox and Chrome are you seeing this on? Both the StartSSL website and certificates signed by the StartCom CA are showing fully trusted in my browsers.

Bart...

Title: Re: Using acme.sh
Post by: Martinezio on February 09, 2017, 10:52:46 am

I'm using Firefox 51.0

Here You have a statement from Mozilla Authority:
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/

Here is info from Apple Authority:
https://support.apple.com/en-us/HT204132

Google also supports this decision in Chrome browser:
http://www.csoonline.com/article/3137181/security/google-to-untrust-wosign-and-startcom-certificates.html

Regards :)

Title: Re: Using acme.sh
Post by: bartjsmit on February 09, 2017, 01:44:36 pm

Hi Martin,

Good catch, thanks for that. I'll start testing to migrate off StartCom certs.

Bart...

Title: Re: Using acme.sh
Post by: bringha on February 09, 2017, 08:08:04 pm

Hello,

IMHO if your certificate is from BEFORE October last year then you don't have any issue. If e.g. your certificate is from last year and valid for two years then they can still be used in all browsers. The revocation of Mozilla, Apple and Google has been made for one year giving startssl the option to solve their problems.

Br br

Title: Re: Using acme.sh
Post by: fraenki on February 09, 2017, 10:11:16 pm

Quote from: Martinezio on February 06, 2017, 02:06:22 pm

Ok, so I found a "bug" too...

OPNsense 17.1.1 has been released today and contains version 1.1 of our Let's Encrypt plugin. All known bugs have been fixed. Feedback is very welcome :)


Regards
- Frank

Title: Re: Using acme.sh
Post by: Martinezio on February 14, 2017, 11:29:53 am

Working like a charm :D Thanks a lot!