OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: Martinezio on February 03, 2017, 01:00:36 am
-
Dears,
I've just moved my installation to 17.1 (went smooth and easy, thx) to have this acme.sh script and to request Let's Encrypt cert for ssl.
But how to configure this script and how to use it? I've created some config, but I don't know if it is valid. Logs are saying, that issuing new cert was successful, but I do not see this cert nowhere...
Little help? ;) Thx in advance.
Best regards,
Martin.
-
Here's the quick-start guide that the author provided: https://github.com/opnsense/plugins/pull/66
Cheers,
Franco
-
There are issues with DNS-01/nsupdate :(
I left a comment. If anyone wants to help see my comment on the above link.
-
Fixes are coming in now, thanks for the report(s). :)
-
Ok, so I found a "bug" too... Name of the certificate cannot contain "-" sign (ie. something-strange.domain.com).
Saddly, I do have - in the name. Can You please make something with this? :)
Thanks in advance.
Bests...
Martin.
-
Hi Martin, check out StartCom https://www.startssl.com/ They do free certificates with good browser support as well.
Bart...
-
No, they don't ;)
Google and Mozilla Authorities revoked their CA certificate due to conflict with one of the investors owned StartSSL. StartSSL is trying to solve this asap, but it takes them at least half year in my opinion to create new CA.
So I'll wait for fix in acme implementation better :)
Best regards,
Martin.
-
Hi Martin,
Which versions of Firefox and Chrome are you seeing this on? Both the StartSSL website and certificates signed by the StartCom CA are showing fully trusted in my browsers.
Bart...
-
I'm using Firefox 51.0
Here You have a statement from Mozilla Authority:
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
Here is info from Apple Authority:
https://support.apple.com/en-us/HT204132
Google also supports this decision in Chrome browser:
http://www.csoonline.com/article/3137181/security/google-to-untrust-wosign-and-startcom-certificates.html
Regards :)
-
Hi Martin,
Good catch, thanks for that. I'll start testing to migrate off StartCom certs.
Bart...
-
Hello,
IMHO if your certificate is from BEFORE October last year then you don't have any issue. If e.g. your certificate is from last year and valid for two years then they can still be used in all browsers. The revocation of Mozilla, Apple and Google has been made for one year giving startssl the option to solve their problems.
Br br
-
Ok, so I found a "bug" too...
OPNsense 17.1.1 has been released today and contains version 1.1 of our Let's Encrypt plugin. All known bugs have been fixed. Feedback is very welcome :)
Regards
- Frank
-
Working like a charm :D Thanks a lot!