Krausmueller.de

Alternative client for Let’s Encrypt

As mentioned in the first blog post you have to trust the installation process which installs a whole envrionment in ~/.local/ nicht ganz durchsichtig. As an alterntive I tried acme-tiny. The only requierements are Python and OpenSSL and the source code is under 200 lines. So if you know Python you are able do see what the clietn actually does more easily.

Another advantage is the possibility to use Subject Alternative Names which helps yout o get a certificate valid for more than just one domain (as long the domains point to the same server and webspace). So you can get a certificate valid e.g. for krausmueller.de and www.krausmueller.de. The README describes all steps necessary. So I am only adding some notes to the most important ones.

In step 2 you define the domains the certificate is valid by using Subject Alternative Names.

In order to validate you are the actual owner of the domain acme-tiny uses files in the folder .well-known/acme-challenge/ under the domains. So you have to specify the full path to this directory as acme-dir when running the client (e.g. /var/www/domain/.well-known/acme-challenge). Alternatively you can also create an alias to another directory and use the full path to this one (example for Apache).

1
Alias /.well-known/acme-challenge/ "/var/www/challenges/"

Step 5 of the README provides the configuration for nginx. Configuration for Aapche could look like this::

 1 2 3 4 5 6 7 8 91011121314
<VirtualHost *:443>
    ServerAdmin webmaster@localhost
    ServerName krausmueller.de
    ServerAlias www.krausmueller.de
    DocumentRoot /var/www/krausmueller

    SSLEngine on
    SSLCertificateFile      /home/johannes/lets_encrypt/signed.crt
    SSLCertificateChainFile /home/johannes/lets_encrypt/intermediate.pem
    SSLCertificateKeyFile   /home/johannes/lets_encrypt/domain.key
    SSLProtocol             all -SSLv2 -SSLv3 -TLSv1
    SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
    SSLHonorCipherOrder     on
</VirtualHost>

In addition you can redirect all HTTP requests to HTTPS. As exception you have to define the directory .well-known/acme-challenge because it has to be available via HTTP when renewing the certificate.

 1 2 3 4 5 6 7 8 9101112
<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName krausmueller.de
    ServerAlias www.krausmueller.de
    DocumentRoot /var/www/

    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    </IfModule>
</VirtualHost>

To renew your certificate at least every 90 days you have to create a shell script run regularly via cronjob as described in step 6 of the README.