[BlueOnyx:18717] Re: SSL Certificates (via Let's Encrypt)

Michael Stauber mstauber at blueonyx.it
Fri Dec 4 12:38:30 -05 2015 

Hi all,

Back in June Gregg K asked:
> I was wondering if BlueOnyx is going to be compatible with Let's Encrypt.
> It could be an interesting way of setting up SSL for some BO clients?
> Just a thought.
> https://letsencrypt.org/
> Has anyone looked into them?

Well, LetsEncrypt just entered public Beta and no longer require signup
for participating. So I took a look at how we can integrate their
certificate generation mechanism into BlueOnyx.

My impression about their SSL certificate generation mechanism?

What a bloody *hipster* bullshit! <sigh>

I don't object them using Python for the code. That's fine. But their
script is self updating and that's where I have my quirks. It therefore
phones home on every usage and if there is a new version, it'll install
it automatically. Which might break. And then you didn't know that it
did an update to a new version which might (or might not) have broken
their methods and not yours. So you might end up with things not working
and neither you nor I are the wiser about why it broke in first place.
Great. \o/

The "recommended" install *requires* you to run another public Apache
webserver that they then use for callbacks. They must be out of the
friggin' minds to even think about that. Well, there is a way to use the
client just to generate certs that doesn't involve setting up a separate
webserver for this shit. Let's use that method then.

The certificates are also only valid for 90 days. Recommended procedure:
Use their client to automatically renew the certs every 60 days. Well, I
can kinda live with that. But as we're not using their auto-installer to
push these certs out to our Apache, I'll have to write my own for that
purpose.

The certificate-key is generated in PKCS#8 format, whereas BlueOnyx
needs the key in PKCS#1 format for import. I can work around that by
converting the key with OpenSSL. Eventually we need to support PKCS#8 as
well, though.

Right now I have a domain on a 5209R that uses the Let's Encrypt SSL
certificate. SSL-Labs rates that 5209R Vsite as a solid "A", so that's
looking good.

I'll work on the GUI implementation for 5207R, 5208R and 5209R of it
during the next couple of days and should have it ready by the end of
next week. The complicated part will be setting up the mechanism that
handles auto-renewals and that probably will need some fine tuning after
release. So when this gets published, it'll be experimental for a couple
of months.

The plan is that you can use the SSL GUI the same way as before to
generate self signed certificates, cert request and can install SSL
certs from any SSL CA authority. But additionally there will be a "Let's
Encrypt" button that leads to a new GUI page that allows you to directly
get a SSL certificate via Let's Encrypt and to set up auto-renewal for it.

This also opens a couple of possibilities like directly setting up
AdmServ to use a free "Let's Encrypt" SSL certificate for Admserv itself
instead of using a self signed one. In any case the same SSL GUI can be
used to equip AdmServ with such a cert anyway.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list