First Let’s Encrypt Certificate

Domain Validation (DV) certificates allow a host to prove that it is the correct host for a particular domain name. A common use case of DV certs is if a Web browser tries to connect to the Web server for a particular domain name, then the DV cert provided by the Web server gives the user confidence that he has accessed the desired Web server, rather than an impostor server than has somehow hijacked the connection.

Traditionally, DV certs cost money and were rather bothersome to obtain. Let’s Encrypt is a recognized Certificate Authority, which makes getting DV certificates easy, by making the process free, and by providing software and APIs which automate the process. In my opinion, projects like Let’s Encrypt are a necessary consequence of the move from IPv4 -> IPv6. IPv6 increases the bit length of IP addresses, making them more difficult to remember, while at the same time making it easier for individuals and small organizations to run many routable services on their own networks. So, it is important that you can easily give a DNS name to a particular host and that, having done so, you can have confidence that you are connecting to the correct host when you are on another part of the Internet. You might conceivably want 20 or 30 DV certs just for your home network, not to mention the office!

There is Let’s Encrypt compatible software for libreCMC, a package called acme. I haven’t actually tried it yet, though: it requires mbedtls, and I had stripped mbedtls from my builds in favor of openssl (a choice I might have to revisit). But I wanted a DV cert on my libreCMC gateway router. So, I used the certbot program from my Debian desktop to create the cert and then put it on my router.

root@nightshade:~# certbot certonly --manual --preferred-challenges dns
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):<snip email address>

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel):maedhros.qlfiles.net
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for maedhros.qlfiles.net

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.maedhros.qlfiles.net with the following value:

5jFu_vngQTe4nHcKXExKUnxkQzKtdIOZGcasoC1JET4

Once this is deployed,
-------------------------------------------------------------------------------
Press Enter to Continue

Then I logged into my domain registrar, and added a DNS TXT record as indicated. Then I pressed Enter.

Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
 /etc/letsencrypt/live/maedhros.qlfiles.net/fullchain.pem. Your cert
 will expire on 2018-07-06. To obtain a new or tweaked version of
 this certificate in the future, simply run certbot again. To
 non-interactively renew *all* of your certificates, run "certbot
 renew"
 - If you lose your account credentials, you can recover through
 e-mails sent to <snip email address>.
 - Your account credentials have been saved in your Certbot
 configuration directory at /etc/letsencrypt. You should make a
 secure backup of this folder now. This configuration directory will
 also contain certificates and private keys obtained by Certbot so
 making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
 Donating to EFF: https://eff.org/donate-le

Quite simple. Now, the cert chain and the corresponding private key needed to be loaded onto my libreCMC gateway router. However, libreCMC uses the DER file format, rather than the PEM format. So I needed to copy the files from fullchain.pem and privkey.pem from the /etc/letsencrypt/live/maedhros.qlfiles.net directory, and convert them:

christopher@nightshade:~/Scratch$ openssl rsa -in privkey.pem -outform DER -out uhttpd.key 
writing RSA key
christopher@nightshade:~/Scratch$ openssl x509 -in fullchain.pem -outform DER -out uhttpd.crt

Then, these files needed to be copied onto the router, and placed in the /etc directly, replacing the default uhttpd.key and uhttpd.crt files (I had to adjust permissions as well to match).

After rebooting the uhttpd server, I accessed the LuCi interface using my domain name, and this time I did not need a security exception!

Screenshot from 2018-04-06 18-04-18

Screenshot from 2018-04-06 18-04-34

Screenshot from 2018-04-06 18-04-53

The Let’s Encrypt certs are only valid for three months, so I’ll have to do that again later. But it was pretty easy. If I can get ACME running on my libreCMC router, in theory I should be able to completely automate the process.

1 thought on “First Let’s Encrypt Certificate”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s