[Astlinux-users] ACME (Let's Encrypt) Certificates

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Greetings,

Given the recent pre-release, I want to follow-up discussing the addition of ACME (Let's Encrypt) certificates.

I must say, when Let's Encrypt was first announced in 2015 I was skeptical how useful this would be with AstLinux, and frankly it initially wasn't too practical since a HTTP query was the only challenge validation method.  For AstLinux, public HTTP/HTTPS access is not the default and discouraged, and for some installations AstLinux may be behind another router.

In 2016 Let's Encrypt added ACME DNS challenge support, which was a game-changer for AstLinux.  Rather than proving you own a domain by creating a random HTTP public reachable file, you can use a DNS provider that supports DNS records to be created and removed, often via an API.  Your AstLinux box does not even need to be publicly reachable inbound, as long as you can prove you control the DNS for a domain, you can issue and renew a globally valid certificate for an internal host, for a specific domain you own.

While AstLinux may be the edge device with a public facing interface, typically few (if any) services are exposed to the public side.  So what is the value of a globally valid certificate over a self-signed certificate ?

HTTPS)
Web browsers are getting less and less tolerant of accessing sites with self-signed certificates.  For HTTPS phone provisioning, some IP Phones (ex. Yealink) default to validating certificates.  Also useful with the stunnel HTTPS proxy.

SIP-TLS)
Mobile SIP clients are much easier to setup with certificate validation enabled with a globally valid certificate.
(BTW, iOS Bria still has an issue here with validation enabled for SIP-TLS, though XMPP validation works fine)

XMPP)
XMPP clients are much easier to setup with a globally valid certificate, and in some case required along with SRV records for the domain.

LDAP)
Many LDAP clients are configurable with the choice of no encryption sending LDAP queries and responses in the clear, or securely with LDAP over SSL which often requires a globally valid certificate.

Keep in mind that even if client access is over a VPN, globally valid certificates can be very useful and convenient.

All of you reading this, at some point in time, will want to create a Let's Encrypt certificate for select AstLinux installations.  Here is is the basic documentation:

ACME (Let's Encrypt) Certificates
https://doc.astlinux-project.org/userdoc:tt_acme_certificates

As the documentation suggests, you need both a domain name and a DNS hosting service that is supported by acme.sh (Cloudflare is free for basic features).  You must point your domains's name servers to the DNS hosting service's servers.

The DNS API's 1-29 listed here: https://github.com/Neilpang/acme.sh/blob/master/dnsapi/README.md are in the recent AstLinux pre-release.

Now is a good time to understand and test how ACME (Let's Encrypt) Certificates can be used in AstLinux.

Lonnie

BTW, a special thanks to David Kerr for testing and creating the "astlinux" deploy script used in acme.sh, wrapped by our acme-client command.  David also was able add FreeDNS support upstream to acme.sh.