A new certificate authority called “Let’s Encrypt” is being created. The goal of the project is to make setting up https simple, fast, and free. They’re being backed by Mozilla, the EFF, and some other pretty big names. You can watch a demo of the Let’s Encrypt client here, or read more about it on their website and github.
Is this something we would be interested in shipping with yunohost? I don’t know about anyone else, but https isn’t really working for my installation of yunohost, not unless I make a security exception in my browser, I’m guessing because I don’t have a certificate authority, but I haven’t really investigated.
I did a quick test today about how to use Let’s encrypt with yunohost following the documentation, here is how it went:
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
sudo ./bootstrap/debian.sh
virtualenv --no-site-packages -p python2 venv
./venv/bin/pip install -r requirements.txt acme/ . letsencrypt-apache/ letsencrypt-nginx/
# at this point let's encrypt is installed
# we have to stop nginx because lets encrypt will use the port 443 to validate the domain
sudo service nginx stop
sudo ./venv/bin/letsencrypt auth
Chose standalone authentificator and enter the domain name when asked.
After that if your DNS is correctly configured this will be created:
Now you have to either replace the paths in /etc/nginx.conf.d/domain.tld.conf or replace crt.pem and key.pem in /etc/yunohost/certs/domain.tld/ ( /!\ backup before doing any change)
I believe the correct file to use are fullchain.pem and privkey.pem
After that, restart nginx with
sudo service nginx start
And finally your yunohost is broken because of HSTS configuration
My conclusion is that Let’s Encrypt is easy to use and will be easy to script/integrate with yunohost with the standalone authentificator. Each domain can have it’s own configuration in /etc/letsencrypt/configs/domain.tld.conf and the command line are automatable (but this didn’t work in my test).
But until Let’s encrypt is operational I suggest to use a free cert with startssl and follow the instruction on https://yunohost.org/#/certificate_en
Note: Let’s encrypt also have a way to install automatically the cert on nginx but I didn’t test that because I believe this will break yunohost configuration since the paths are a little specific. I have not tested the automatic revocation and renewal of certificates.