A New Certificate Authority called "Let's Encrypt"

A new certificate authority called “Let’s Encrypt” is being created. The goal of the project is to make setting up https simple, fast, and free. They’re being backed by Mozilla, the EFF, and some other pretty big names. You can watch a demo of the Let’s Encrypt client here, or read more about it on their website and github.

Is this something we would be interested in shipping with yunohost? I don’t know about anyone else, but https isn’t really working for my installation of yunohost, not unless I make a security exception in my browser, I’m guessing because I don’t have a certificate authority, but I haven’t really investigated.

Neither can I, I thought this was just me doing something fundamentally wrong because I didn’t know too much about this CA stuff.

+1. I’d like to see this happen as well. The general public availability is scheduled for November 16, 2015. We could get something working by then.

I did a quick test today about how to use Let’s encrypt with yunohost following the documentation, here is how it went:

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
sudo ./bootstrap/debian.sh
virtualenv --no-site-packages -p python2 venv
./venv/bin/pip install -r requirements.txt acme/ . letsencrypt-apache/ letsencrypt-nginx/
# at this point let's encrypt is installed
# we have to stop nginx because lets encrypt will use the port 443 to validate the domain
sudo service nginx stop
sudo ./venv/bin/letsencrypt auth

Chose standalone authentificator and enter the domain name when asked.

After that if your DNS is correctly configured this will be created:

cert = /etc/letsencrypt/live/domain.tld/cert.pem
privkey = /etc/letsencrypt/live/domain.tld/privkey.pem
chain = /etc/letsencrypt/live/domain.tld/chain.pem
fullchain = /etc/letsencrypt/live/domain.tld/fullchain.pem

Now you have to either replace the paths in /etc/nginx.conf.d/domain.tld.conf or replace crt.pem and key.pem in /etc/yunohost/certs/domain.tld/ ( /!\ backup before doing any change)
I believe the correct file to use are fullchain.pem and privkey.pem

After that, restart nginx with

sudo service nginx start

And finally your yunohost is broken because of HSTS configuration :smiley:

My conclusion is that Let’s Encrypt is easy to use and will be easy to script/integrate with yunohost with the standalone authentificator. Each domain can have it’s own configuration in /etc/letsencrypt/configs/domain.tld.conf and the command line are automatable (but this didn’t work in my test).

But until Let’s encrypt is operational I suggest to use a free cert with startssl and follow the instruction on https://yunohost.org/#/certificate_en

Note: Let’s encrypt also have a way to install automatically the cert on nginx but I didn’t test that because I believe this will break yunohost configuration since the paths are a little specific. I have not tested the automatic revocation and renewal of certificates.

Seems like an amazing idea! Thanks for sharing your first tests. Please keep us informed :smile:

Just an update about the Let’s encrypt project.
The certificate has been signed by identrust.

Good news… can’t wait to see all that working :wink:

I got the mail that i can use the beta with my domain… Will have a look into that next week. :slight_smile: