Topic: Thoughts on letsencrypt.com?

[DanB35]

After you referred him to this thread from BZ?

[guest22]

Yes, for SCL is the preferred way with SME Server atm, maybe he was not aware. Cross posting was not my advise.

[janet]

Dear All

I just wonder whether all this effort to get "free" certificates is worth it.
There are certificates available from commercial suppliers/ISPs/Providers etc (eg Godaddy & others) for between $10 - $50.
That cost is far cheaper than the tech support hours spent on implementing the various methods being discussed in this thread & elsewhere in the forums.
I am not saying not to use these clever "free" tools, just that there are nowadays very cheap certificates available.

[DanB35]

Janet,

As I see it, LE offers several advantages over other CAs.  Here are some that come to mind:

• Certificates are free
• Certificates are trusted by most client apps (unlike cacert.org)
• Certificates can cover up to 100 hostnames/domains, unlike some low-cost/free CAs
• All private keys are generated locally, and never leave your server
• Revocation is also supported at no cost (unlike startssl.com)
• Certificates can be issued in under a minute from a single command line
• Certificates can be renewed automatically by a cron job
• The client is designed to automatically install certificates in a running web server, and configure that server to use the certificate and to serve HTTPS (exclusively, if desired).  That feature isn't quite ready for prime time, and it wouldn't be very suitable for SME servers anyway, but it fits well with their goal of making it as easy as possible to bring trusted encryption to as many sites as possible

Of course, there are some limitations, which may or may not be drawbacks depending on your situation:

• Certificates are only valid for 90 days, rather than the 365 days that's more common with commercial CAs
• Wildcard certificates (i.e., *.yourdomain.tld) aren't supported
• Letsencrypt only performs domain validation--they only verify that the person requesting the certificate has control over the domain/host requested.  They don't validate any other information about the requestor (so people won't see the green bar in their browsers, as they do for EV certificates)
• Features 6, 7, and 8 above require that the client be installed, which for best results apparently requires that Python 2.7 be installed.  The client isn't yet available as an RPM, though RH have said it will be going into EPEL for CentOS6/RHEL6, and CentOS6 ships with Python 2.6.  As of right now, that means a little more work in getting the client running.

Limitation #2 can, IMO, be addressed by including all the hostnames you want to use as SubjectAltNames, of which Letsencrypt supports up to 100 per certificate.  There may well be applications which require a wildcard, but I'd expect they're fairly uncommon.

Limitation #4 can be mitigated by use of a different client, or even no client--you can get Letsencrypt certs without installing anything by going to https://letsgetssl.net/ or https://gethttpsforfree.com/.  This process involves manually messing around with openssl at the command line, but most of this is what you'd have to do to get a cert from someone else anyway.  But, of course, using one of these web-based options means you can't auto-renew.  One of the other clients would still allow auto-renewal, but still might require more user interaction to get going in the first place.

But in the end, "all this effort" consists, today, of:

• yum install scl-utils
• yum --enablerepo=scl-python27 install python27
• Download and unpack a .zip file
• Stop httpd-e-smith
• Run one command
• Set the appropriate db keys to point to the new certificate files
• post-upgrade;reboot

With the release of the letsencrypt client into EPEL, the first three steps will be replaced with 'yum --enablerepo=epel install letsencrypt'.  The last two steps will be required no matter where you get your cert.

[guest22]

I agree with Dan, and would like to add that it is the journey of the learning curve that is part of our enthusiasm for SME Server.

[Stefano]

I agree with Dan, and would like to add that it is the journey of the learning curve that is part of our enthusiasm for SME Server.

I agree too, and this topic has been a good example of many people working together for a common aim..
tomorrow, when letsencrypt rpm will be available, we can create a contrib to integrate it with SME, and what has been discussed here could/will be a good start point (or, at least, a good brainstorming exercise)

[DanB35]

The RPM is due out tomorrow?  Excellent!  I didn't expect it would be released so quickly.

[Stefano]

The RPM is due out tomorrow?  Excellent!  I didn't expect it would be released so quickly.

no, you misunderstood me or I did not explain myself

when I say "tomorrow", in my previuos post, I meant "in the future..."
I literally translated from italian to english, sorry

[DanB35]

Ah, ok, that makes sense too.  We still have a working (or at least mostly-working) solution today.

[brianr]

Actually "Tomorrow" might be correct - Fedora has support now...

https://fedoramagazine.org/letsencrypt-now-available-fedora/

[Stefano]

ROTFL..

I'd go to bet some bucks

[DanB35]

I have a few question about some of the wiki content that, in short, seems overly-cautious, or to show misplaced caution.  Since it's a wiki, I could, of course, just edit it, but it's always possible I'm missing something.  This seems like a better venue to discuss than the talk page on the wiki.

1.  Under Prerequisites, there's discussion of noting, or backing up, the modSSL configuration.  Then follows this: "or to be sure, a copy of the complete configuration database (a good practice before any action such as manual changing of db values or installing a contrib)".

    Really?  Are we really going to recommend that any time someone installs a contrib, or makes any manual change to the configuration database, that they make a complete backup copy of the database?  This seems entirely unnecessary to me, particularly since any changes to the database are logged in /var/log/messages.  Noting existing values (if any) of properties you're going to change, or even making a backup of those properties, would make sense.  A backup of the entire config database, with hundreds of lines to dig through to find what you're looking for, just seems like overkill.  I might feel differently on this if there were a way of doing a "config import" from the backup file (thus reverting the config database to the time the backup was made), but AFAIK there's no way to do that.

2.  In the installation section are commands to set the modSSL properties for the cert, key, and chain file.  Following those commands is this note:

We need to see if setting the above db variables disturbs other SME Server default functionality and contribs that work with certificates such as VPN solutions.

Those same db variable settings appear on the wiki in at least five other places (http://wiki.contribs.org/Custom_CA_Certificate, http://wiki.contribs.org/Certificate_Concepts, http://wiki.contribs.org/Certificate_Integration_GoDaddy_Certificate, http://wiki.contribs.org/Certificate_Integration_Thawte_Certificate, and http://wiki.contribs.org/Certificate_Integration_startssl.com_Server_Certificate), with no such warning.  They appear to be the well-documented "SME way" to specify a certificate, key, and chain file.  I can't see any reason why this warning needs to uniquely appear on the page for letsencrypt.

3.  There's a note in the renewal section, partly about the script, and partly about software collections in general:

The above commands enable Python 2.7, but do not disable it again. In general we need to examine the effect of using SCL Python 2.7 on production servers where the default Python version is being used.

As to the first issue, I'd think that running the script properly (i.e., './letsencrypt-renew.sh' rather than 'source letsencrypt-renew.sh') would itself take care of disabling Python 2.7--it will spawn its own shell, and when the script exits, any environment changes it makes should go away, right?  But another way to make sure that python27 is only enabled for that script would seem to be deleting lines 2 and 3 of the script, and calling the script with

Code: [Select]

scl enable python27 '/opt/letsencrypt-renew.sh'
As to "examin[ing] the effect of using SCL Python 2.7"--isn't that pretty much the point of using the software collections?  To allow you to install a newer version of some software package, so that it can be used when required, but still doesn't interfere with the rest of the system unless explicitly called?  If we aren't confident that they'll work in that way, it seems that should be noted on http://wiki.contribs.org/Software_Collections

[ReetP]

I have a few question about some of the wiki content that, in short, seems overly-cautious, or to show misplaced caution.  Since it's a wiki, I could, of course, just edit it, but it's always possible I'm missing something.  This seems like a better venue to discuss than the talk page on the wiki.

I think that as you already know, SME is not a bleeding edge distro. It is known for simplicity and stability. There are of course lots of people who want to hack it about, which is fine, but as you can see from a lot of forum posts, a large percentage of issues are caused by people who just don't take sufficient care and then wonder why their server has backflipped into the lava.

Remember that most contribs are properly tested and verified before being let lose on an unsuspecting public.

As with any software that is still very much in 'testing' such as this, then the best thing we can do is put up big warning signs up so hopefully people will realise the damage they may do. Caution is no bad thing.... I am still amazed at how many people try stuff on their production boxes....

Quite honestly it doesn't take much to back up your databases, and when messing with stuff like this it is a very sensible precaution, unless you are trying it on a test server (which is a much better idea)

B. Rgds
John

[guest22]

1.  Under Prerequisites, there's discussion of noting, or backing up, the modSSL configuration.  Then follows this: "or to be sure, a copy of the complete configuration database (a good practice before any action such as manual changing of db values or installing a contrib)".

    Really?  Are we really going to recommend that any time someone installs a contrib, or makes any manual change to the configuration database, that they make a complete backup copy of the database?  This seems entirely unnecessary to me, particularly since any changes to the database are logged in /var/log/messages.  Noting existing values (if any) of properties you're going to change, or even making a backup of those properties, would make sense.  A backup of the entire config database, with hundreds of lines to dig through to find what you're looking for, just seems like overkill.  I might feel differently on this if there were a way of doing a "config import" from the backup file (thus reverting the config database to the time the backup was made), but AFAIK there's no way to do that.

I agree with ReetP and next to that, we must keep in mind that we have a very mixed audience with skill sets and understanding of SME Server at very different levels. Also we (I) like to write or adjust wiki articles so that they are 'easy' to read and informative about related aspects then just the specific article. I'll put in a NFR for automatic backup the db as part of certain events, storing them to /var/log/esmith/*

2.  In the installation section are commands to set the modSSL properties for the cert, key, and chain file.  Following those commands is this note:Those same db variable settings appear on the wiki in at least five other places (http://wiki.contribs.org/Custom_CA_Certificate, http://wiki.contribs.org/Certificate_Concepts, http://wiki.contribs.org/Certificate_Integration_GoDaddy_Certificate, http://wiki.contribs.org/Certificate_Integration_Thawte_Certificate, and http://wiki.contribs.org/Certificate_Integration_startssl.com_Server_Certificate), with no such warning.  They appear to be the well-documented "SME way" to specify a certificate, key, and chain file.  I can't see any reason why this warning needs to uniquely appear on the page for letsencrypt.

Agree. I'm not an expert on certificates at all, so that's why I wonder 'how about other mechanisms or contribs that use certificates if letsencrypt sets new names and locations of certificates, claiming full ownership. And yes I agree, this should aply to all wiki pages that handle certificates *IF* the thoughts are valid.

3.  There's a note in the renewal section, partly about the script, and partly about software collections in general:
As to the first issue, I'd think that running the script properly (i.e., './letsencrypt-renew.sh' rather than 'source letsencrypt-renew.sh') would itself take care of disabling Python 2.7--it will spawn its own shell, and when the script exits, any environment changes it makes should go away, right?  But another way to make sure that python27 is only enabled for that script would seem to be deleting lines 2 and 3 of the script, and calling the script with

Code: [Select]

scl enable python27 '/opt/letsencrypt-renew.sh'
As to "examin[ing] the effect of using SCL Python 2.7"--isn't that pretty much the point of using the software collections?  To allow you to install a newer version of some software package, so that it can be used when required, but still doesn't interfere with the rest of the system unless explicitly called?  If we aren't confident that they'll work in that way, it seems that should be noted on http://wiki.contribs.org/Software_Collections

SCL works, and the script(s) needs to be reviewed and consistent. Hence the wiki page is a WIP.


Thanks for the thoughts.

[guest22]

3.  There's a note in the renewal section, partly about the script, and partly about software collections in general:
As to the first issue, I'd think that running the script properly (i.e., './letsencrypt-renew.sh' rather than 'source letsencrypt-renew.sh') would itself take care of disabling Python 2.7--it will spawn its own shell, and when the script exits, any environment changes it makes should go away, right?  But another way to make sure that python27 is only enabled for that script would seem to be deleting lines 2 and 3 of the script, and calling the script with

Code: [Select]

scl enable python27 '/opt/letsencrypt-renew.sh'

I think that would be the correct approach. But *think* that the '\opt' directory of the Python 2.7 will be searched, and nothing will be found, for the script is in (root)/opt/ path, not /opt/rh/python27/opt (or something similar)...