> Am 22.07.2017 um 16:25 schrieb Lonnie Abelbeck <li...@lonnie.abelbeck.com>: > > Greetings, > > Given the recent pre-release, I want to follow-up discussing the addition of > ACME (Let's Encrypt) certificates. > > I must say, when Let's Encrypt was first announced in 2015 I was skeptical > how useful this would be with AstLinux, and frankly it initially wasn't too > practical since a HTTP query was the only challenge validation method. For > AstLinux, public HTTP/HTTPS access is not the default and discouraged, and > for some installations AstLinux may be behind another router. > > In 2016 Let's Encrypt added ACME DNS challenge support, which was a > game-changer for AstLinux. Rather than proving you own a domain by creating > a random HTTP public reachable file, you can use a DNS provider that supports > DNS records to be created and removed, often via an API. Your AstLinux box > does not even need to be publicly reachable inbound, as long as you can prove > you control the DNS for a domain, you can issue and renew a globally valid > certificate for an internal host, for a specific domain you own. > > While AstLinux may be the edge device with a public facing interface, > typically few (if any) services are exposed to the public side. So what is > the value of a globally valid certificate over a self-signed certificate ? > > HTTPS) > Web browsers are getting less and less tolerant of accessing sites with > self-signed certificates. For HTTPS phone provisioning, some IP Phones (ex. > Yealink) default to validating certificates. Also useful with the stunnel > HTTPS proxy. > > SIP-TLS) > Mobile SIP clients are much easier to setup with certificate validation > enabled with a globally valid certificate. > (BTW, iOS Bria still has an issue here with validation enabled for SIP-TLS, > though XMPP validation works fine) > > XMPP) > XMPP clients are much easier to setup with a globally valid certificate, and > in some case required along with SRV records for the domain. > > LDAP) > Many LDAP clients are configurable with the choice of no encryption sending > LDAP queries and responses in the clear, or securely with LDAP over SSL which > often requires a globally valid certificate. > > Keep in mind that even if client access is over a VPN, globally valid > certificates can be very useful and convenient. > > All of you reading this, at some point in time, will want to create a Let's > Encrypt certificate for select AstLinux installations. Here is is the basic > documentation: > > ACME (Let's Encrypt) Certificates > https://doc.astlinux-project.org/userdoc:tt_acme_certificates > > As the documentation suggests, you need both a domain name and a DNS hosting > service that is supported by acme.sh (Cloudflare is free for basic features). > You must point your domains's name servers to the DNS hosting service's > servers. > > The DNS API's 1-29 listed here: > https://github.com/Neilpang/acme.sh/blob/master/dnsapi/README.md are in the > recent AstLinux pre-release. > > Now is a good time to understand and test how ACME (Let's Encrypt) > Certificates can be used in AstLinux. > > Lonnie > > BTW, a special thanks to David Kerr for testing and creating the "astlinux" > deploy script used in acme.sh, wrapped by our acme-client command. David > also was able add FreeDNS support upstream to acme.sh.
Lonnie and David, thanks a lot for your work. Let's Encrypt (ACME) seems like a very useful addition to AstLinux. I tested it with Cloudflare (as described in the Wiki) and it works fine for me. Michael http://www.mksolutions.info ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
