letsencrypt client software changes

Short version: the #letsencrypt   client (only) is renamed and transferred to the Electronic Frontier Foundation (EFF). . Please update!

Long version: We've transitioned completely to letsencrypt certificates recently. It is a brilliant concept and hundreds of thousands of websites are running it.

The automated CA portion is fully transparent and anyone can write client software to automate that part. When we implemented, we took their letsencrypt-auto client and added some scripting to auto-install A+ rated certificates for #haproxy  .

It seems like the good people at letsencrypt have been totally overwhelmed by the runaway success of letsencrypt and have decided to spin off their own client to fully concentrate on the CA side. Seems to me that is a wise decision.

However, because a message was popped up in the old client to transition to the new client, the cron job got stuck. So please do check your scripts, update to the certbot-auto client and continue. The command line options are unchanged, so it's really easy, just install the new client and change the reference to it. More details here https://letsencrypt.org/getting-started/

ps: I have no idea how this pans out for systems with embedded letsencrypt support. If they used the the letsencrypt-auto script as-is, you might want to make sure your certificates are still being updated.

letsencrypt.org and haproxy

As I wrote earlier, I am a fierce proponent of https (ssl) encryption on everything internet, but I also regard ssl certificates trade nonsensical. It's simply too easy to fake certificates. #letsencrypt   tackles this by automatically (re)issuing 3 months certificates for free. They have now come out of beta and there are scripts and instructions floating around for many platforms, including #haproxy  . I will start implementing this on one or two test domains and will report on progress here.

Simplest shell script for LetsEncrypt free Certificate client
#letsencrypt

Letsencrypt on Domino

Let me be honest. I won't go back to Domino doing https. I felt bitten when newer cipher suites were implemented very very late, and using #haproxy since then to offload ssl processing has worked out so well we're not looking back: we now have server fallback, outbound ssl and #letsencrypt all covered.

But I do understand people who do run ssl on their Domino boxes. Those who do I would encourage to have a look at letsencrypt too. It can fully automate getting certificates and with a few extra commands and the kyrtool utility, you can have Domino run letsencrypt certificates and have them automagically renewed and put into your keyring file pair.

Tolles debugging:
ConnectionError: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Max retries exceeded with url: /acme/new-authz (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7f1948525790>: Failed to establish a new connection: [Errno -2] Name or service not known',))

Ich habe da einen Fehler in authentication manual plugin gefunden und kann den nun nicht mehr validieren. Denn nach dem get sehe ich dass er schon die richtigen Daten aus der Datei in .well-known/acme-challenge/ bekommt, aber der Meinung ist, dass :

2015-10-30 19:51:51,113:ERROR:letsencrypt.plugins.manual:Self-verify of challenge failed, authorization abandoned.
2015-10-30 19:51:51,113:INFO:letsencrypt.auth_handler:Waiting for verification...
2015-10-30 19:51:51,114:INFO:letsencrypt.auth_handler:Cleaning up challenges
2015-10-30 19:51:51,115:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
  File "/home/chris/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/home/chris/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1131, in main
    return args.func(args, config, plugins)
  File "/home/chris/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 489, in obtaincert
    _auth_from_domains(le_client, config, domains, plugins)
  File "/home/chris/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 327, in _auth_from_domains
    lineage = le_client.obtain_and_enroll_certificate(domains, plugins)
  File "/home/chris/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 229, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/home/chris/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 212, in obtain_certificate
    return self._obtain_certificate(domains, csr) + (key, csr)
  File "/home/chris/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 170, in _obtain_certificate
    authzr = self.auth_handler.get_authorizations(domains)
  File "/home/chris/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 87, in get_authorizations
    self.verify_authzr_complete()
  File "/home/chris/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 298, in verify_authzr_complete
    raise errors.AuthorizationError("Incomplete authorizations")
AuthorizationError: Incomplete authorizations



#letsencrypt   #debian   #jessie  

https://twitter.com/almiron/status/679034726393380864

#letsencrypt #ovh #ssl

Interesting, #LetsEncrypt works well in Chrome/Chromium, but the certificates are not accepted by Firefox...
I enabled HTTPS for https://tracker.tanglu.org now, tangluusers.org is still available unencrypted, until all browsers accept the certificate and don't display a scary warning anymore.

#letsencrypt #comodo  

My first #letsencrypt certificate, requested using https://github.com/gheift/letsencrypt.sh, an Apache rewrite rule, and one line of php to answer the Challenge request.

Now, need to automate renewal...

Just switched over my entire website to SSL using the #LetsEncrypt certs. (previously I had only the admin section on SSL) It barely took any effort at all!

The certificates should be cross-signed, and work for any modern browser, but let me know if it doesn't work for any of you.

letsencrypt.org part 3

We run an application cluster housed in two different datacenters for maximum uptime. #haproxy  does load balancing for when the application server crashes. We tend to spread the load over the two datacenters by simply spreading the DNS record over the two DCs.

To renew #letsencrypt  certificates I made a few scripts but the only thing I wasn't happy about I had to make sure the process to request the certificate had to run on the server where the DNS for that domain was pointing to. Until I realized that was nonsense. I changed the HAProxy backend config to reroute the letsencrypt authentication request from letsencrypt right back to the server where the requesting script is running over the internal network. Solved, only one place to manage things. 

backend letsencrypt
mode http
reqadd X-Forwarded-Proto:\ https
server letsencrypt internal.mydomain.local:9999

letsencrypt.org part 2

A great way to make #letsencrypt work under #haproxy, is to use approach described in the brixit blog, link below. Using a slight variation of Martijn Braam's script I have the certificate created, copied to the #haproxy ssl folder, and restart haproxy gracefully (see my previous entry about that).

Having a new certificate issues now takes about 30 seconds, fully automated once per month.

There is not a single reason why you shouldn't move your website to https.

I believe this will be entirely disruptive to the certificate authorities such as rapidssl and networksolutions, with exception of maybe the issuing of EV certificates.

https://blog.brixit.nl/automating-letsencrypt-and-haproxy

#Fedora   #letsencrypt  

#letsencrypt   #freebsd  

Let's Encrypt CA is alive! http://helloworld.letsencrypt.org/
#helloworld #letsencrypt #ssl #tls #certificates #free #lauch #lauched #news #security  

#letsencrypt  

Excited about #letsencrypt because #ownCloud Proxy and how the two go together in our new VM...

https://owncloud.org/connect -> ownCloud Proxy is there.

That happened #Letsencrypt +Aaron Plattner 

https://www.reddit.com/r/letsencrypt/comments/4njndc/letsencrypt_email_database_leaked/

Arriving September 2015..

#letsencrypt