Domain Validation (DV) certificates allow a host to prove that it is the correct host for a particular domain name. A common use case of DV certs is if a Web browser tries to connect to the Web server for a particular domain name, then the DV cert provided by the Web server gives the user confidence that he has accessed the desired Web server, rather than an impostor server than has somehow hijacked the connection.
Traditionally, DV certs cost money and were rather bothersome to obtain. Let’s Encrypt is a recognized Certificate Authority, which makes getting DV certificates easy, by making the process free, and by providing software and APIs which automate the process. In my opinion, projects like Let’s Encrypt are a necessary consequence of the move from IPv4 -> IPv6. IPv6 increases the bit length of IP addresses, making them more difficult to remember, while at the same time making it easier for individuals and small organizations to run many routable services on their own networks. So, it is important that you can easily give a DNS name to a particular host and that, having done so, you can have confidence that you are connecting to the correct host when you are on another part of the Internet. You might conceivably want 20 or 30 DV certs just for your home network, not to mention the office!
There is Let’s Encrypt compatible software for libreCMC, a package called acme. I haven’t actually tried it yet, though: it requires mbedtls, and I had stripped mbedtls from my builds in favor of openssl (a choice I might have to revisit). But I wanted a DV cert on my libreCMC gateway router. So, I used the certbot program from my Debian desktop to create the cert and then put it on my router.
root@nightshade:~# certbot certonly --manual --preferred-challenges dns Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):<snip email address> ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: A Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel):maedhros.qlfiles.net Obtaining a new certificate Performing the following challenges: dns-01 challenge for maedhros.qlfiles.net ------------------------------------------------------------------------------- NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? ------------------------------------------------------------------------------- (Y)es/(N)o: Y ------------------------------------------------------------------------------- Please deploy a DNS TXT record under the name _acme-challenge.maedhros.qlfiles.net with the following value: 5jFu_vngQTe4nHcKXExKUnxkQzKtdIOZGcasoC1JET4 Once this is deployed, ------------------------------------------------------------------------------- Press Enter to Continue
Then I logged into my domain registrar, and added a DNS TXT record as indicated. Then I pressed Enter.
Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/maedhros.qlfiles.net/fullchain.pem. Your cert will expire on 2018-07-06. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you lose your account credentials, you can recover through e-mails sent to <snip email address>. - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Quite simple. Now, the cert chain and the corresponding private key needed to be loaded onto my libreCMC gateway router. However, libreCMC uses the DER file format, rather than the PEM format. So I needed to copy the files from fullchain.pem and privkey.pem from the /etc/letsencrypt/live/maedhros.qlfiles.net directory, and convert them:
christopher@nightshade:~/Scratch$ openssl rsa -in privkey.pem -outform DER -out uhttpd.key writing RSA key christopher@nightshade:~/Scratch$ openssl x509 -in fullchain.pem -outform DER -out uhttpd.crt
Then, these files needed to be copied onto the router, and placed in the /etc directly, replacing the default uhttpd.key and uhttpd.crt files (I had to adjust permissions as well to match).
After rebooting the uhttpd server, I accessed the LuCi interface using my domain name, and this time I did not need a security exception!
The Let’s Encrypt certs are only valid for three months, so I’ll have to do that again later. But it was pretty easy. If I can get ACME running on my libreCMC router, in theory I should be able to completely automate the process.
The Libre Hacker 
Now that is cool!
LikeLike