Let's Encrypt support

[Oebele Drijfhout]

Are there plans to support Let's Encrypt in the Certificate Manager, once they start signing certificates?

[franco]

You speak of automatically using their service to sign SSL certificates?

[Oebele Drijfhout]

yes, some implementation of this: https://letsencrypt.org/howitworks/

[franco]

We do have a python wrapper in FreeBSD now, py-letsencrypt, but I am a bit staggered by its complexity, although Python fits our backend service philosophy nicely. I can see this as a plugin, given that we handle backend service plugin support a bit better, I think there's a ticket here...

https://github.com/opnsense/core/issues/329

And this...

https://github.com/opnsense/plugins/issues/6

Any help on this front is greatly appreciated.

[Oebele Drijfhout]

Great,  unfortunately my python skills leave room for improvement, but I'll certainly keep an eye on this.

[reep]

I have been using a bash script called letsencrypt.sh on my linux boxes and wrote a small plugin for them to generate the config files. The letsencrypt.sh script is a lot easier and more transportable than the full fat official clients.

https://github.com/lukas2511/letsencrypt.sh

It probably wouldn't take much to use that (and believe it is BSD compatible). You just need to write a simple plain text config file and domains.txt file and add a cronjob for renewals.

You have to be able to http resolve a .well-known/acme-challenge directory for a given domain.

B. Rgds
John

[franco]

There's another thread here: https://forum.opnsense.org/index.php?topic=2319

bash requirement for letsencrypt.sh is a bit controversial in BSD land, some of it Shellshock, the other bit just political nonsense. Not sure what to do here...

acme-tiny seems to be nice enough and can be installed from the command line

# pkg install acme-tiny

Docs can be found below.

https://github.com/diafygi/acme-tiny

We have no ETA for a plugin integration, short on contributor interest in the topic.


Cheers,
Franco