Feature Request | Let's Encrypt TLS Web Certs

Started by mitchskis, March 02, 2016, 06:18:23 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
March 02, 2016, 06:18:23 PM
Please consider expanding system certificate management to enable one-click generation and signing of TLS web-certs via the Let's Encrypt intuitive for the administration interface. The Certificate Authority is now widely trusted and many stable ACME clients exist. Of course, automated cert. replacement is also important.
March 02, 2016, 07:17:11 PM #1
There's already an open issue: https://github.com/opnsense/plugins/issues/6
March 02, 2016, 07:27:58 PM #2 Last Edit: March 02, 2016, 07:43:30 PM by mitchskis
Neat! I was unaware the GitHub issue tracker was in use.
March 03, 2016, 08:05:08 AM #3
It's not on our official roadmap at the moment. The problem with Let's Encrypt is their large ecosystem in the default client. There are more portable solutions nowadays, but the last time we checked we did not find a suitable (and sane) solution.
April 23, 2016, 08:51:42 AM #4
franco, can you expand on your answer a little? What exactly do you mean by "large ecosystem" in this context? Do you mean code complexity?

I would really like to see LE support integrated into opnsense, even if it's just a plugin. I do know some python, but I don't understand what the "requirements" or hold-up is for making this happen. What makes a particular solution 'suitable' and 'sane?'

Understanding this I can gauge whether it's a project I can tackle or not.
April 27, 2016, 05:14:45 PM #5
There are two viable candidates that I know of. Here's there runtime dependencies:

/usr/ports/security/letsencrypt.sh # make run-depends-list
/usr/ports/ftp/curl
/usr/ports/shells/bash

/usr/ports/security/py-letsencrypt # make run-depends-list
/usr/ports/devel/py-configargparse
/usr/ports/devel/py-configobj
/usr/ports/devel/py-mock
/usr/ports/devel/py-parsedatetime
/usr/ports/devel/py-pyrfc3339
/usr/ports/devel/py-python2-pythondialog
/usr/ports/devel/py-pytz
/usr/ports/devel/py-setuptools27
/usr/ports/devel/py-six
/usr/ports/devel/py-zope.component
/usr/ports/devel/py-zope.interface
/usr/ports/lang/python27
/usr/ports/security/py-acme
/usr/ports/security/py-cryptography
/usr/ports/security/py-openssl
/usr/ports/sysutils/py-psutil

The former is a portable alternative based on bash/zsh and the latter is the original code with a large trail of Python modules.

Certificates are built into the base system, so we can't chose the plugin road easily, without revamping the certificate code considerably. That would take a month or two as an educated guess. And it might be spurious work for a single plugin.

So instead, we will have to bring the runtime dependencies of a letsencrypt hander to OPNsense base installations. I do not really feel comfortable with bash on the box and letting it handle certificate information.

There may be a middle ground with this, but we cannot tell before work has started on it. What do you think?

PS: Ticket here since Nov 2015 https://github.com/opnsense/plugins/issues/6
May 09, 2016, 12:52:58 PM #6
Sorry about the late reply, I never received an email notification that there was a response. : /

I certainly understand not wanting bash involved.

Anyway, if the issue is the actual number of dependencies, there are a couple of smaller python projects that don't seem to have nearly so many.

MIT licensed  - https://github.com/diafygi/acme-tiny
GPLv3 licensed - https://github.com/kuba/simp_le

I don't know how the opnsense project works with regards to non-ports code/packages, so maybe these aren't acceptable because they aren't in your package manager?




May 09, 2016, 05:34:14 PM #7
Both look like viable alternatives, thank you! We have Python underneath so that's good. Slightly favouring the MIT license for BSD style alignment.

If the packages are not on FreeBSD ports and the actual script is light enough it may be best to embed the code directly into the GUI package.

I'll make a note in the package, ask Ad to review the options.


Cheers,
Franco
May 09, 2016, 05:42:22 PM #8
PS: acme-tiny is in FreeBSD ports :)
May 10, 2016, 01:43:24 AM #9
Glad I could be of assistance!
May 10, 2016, 08:04:44 AM #10
Make sure to prod us again, this is also appreciated as it tends to get things done. :)
May 19, 2016, 09:01:47 AM #11
The acme-tiny package is now in our ecosystem, if anyone wants to play with it...

# pkg install acme-tiny
June 04, 2016, 06:17:51 AM #12
Thought I would drop in and give that helpful prod.
June 04, 2016, 03:38:27 PM #13
letskencrypt went in as a package for 16.1.16, that's the progress at the moment. Highly unlikely that we will have this integrated before 16.7 as we're slowly switching from "rework all the things" mode to "polish all the things" mode. :)

https://kristaps.bsd.lv/letskencrypt/
June 05, 2016, 06:39:04 AM #14
Hey, that's great! I'm don't find waiting a bit longer for it at all. Looking forward to having this feature, solves a lot of issues on my end.
Print
Go Up Pages1 2
User actions