2016-04-28 10 months ago
A while ago I already pondered preparing links in my websites for https. With Let's Encrypt I can get free domain validating certificates for TLS encrypting my traffic. Even the subjectAltName extension is supported to get multiple domain names on one certificate. But it took me a while to really get around to implementing the rest and testing the results. The standard way of using letsencrypt is a bit too much 'for dummies' to my taste. The suggested and supported method for using Let's Encrypt uses the standard Let's Encrypt client which is very good at modifying apache configurations on it's own. I would like free certificates, but not at the price of letting that script do things to my webserver configuration. So I asked around and someone pointed me at letsencrypt-nosudo with the brilliant introduction:I love the Let's Encrypt devs dearly, but there's no way I'm going to trust their script to run on my server as root, be able to edit my server configs, and have access to my private keys. I'd just like the free ssl certificate, please.Exactly my thoughts. So I used that script, got my brain around what was happening and now I have a TLS certificate for a number of my private domains. Let's Encrypt stores the minimal amound of information about its users: the public part of their user key. And an optional e-mail address. With the letsencrypt-nosudo script I generate a certificate signing request just like 'normal' (what I am used to when requesting certificates as part of my job) and the script does a number of challenge/response actions to validate that you control the given domain name(s) using the ACME protocol (Automatic Certificate Management Environment) and when that is all succesfull you get a free TLS certificate which exactly says 'the domain name was validated'. So now I have a certificate for a number of domain names hosted on my home server and slowly but surely I make those work. The default validation of the domains happens with a minimalist webserver in a python oneliner for which the real server has to be stopped. But I soon noticed my server gets enough requests that this interferes with real traffic so I switched to the file-based validation. Which is a bit of work as there will be a 'put a file at URL site/.well-known/acme-challenge/base64code with content base64code' for each site. Maybe I will create a common acme-challenge directory for all sites and let the script write to that directory.