Re: create keys and certificates for postfix/tls

[Lucius Rizzo <lucius.rizzo%mail.edu.ky@localhost>]

Hello,

Please allow me clarify many fallacies in your mail. For one, labelling this as souped up python script is simply incorrect. One git clones this project which is not very different from other OSS projects. Once setup, the script allow for some autodetection (apache for instance) but you (as a BSD user) can use the standalone option to generate a ssl cert -- which does work very well on FreeBSD. letencrypt.sh is also now in ports on FreeBSD although I recommend the git cloned version.

- Your point 3 is incorrect. The checks can be DNS or http (nginx) not just DNS. This is very similar to having a ssl cert these days (CNAME to comodo is one of the options to get a new ssl). Calling a special sauce is doing it a disservice as you fail to describe how it actually works.
- You don't run the script ^everyday^. You can sign for 30-90 days and automate the resigning via cron. Pretty easy. The symlinked /etc/letsencrypt will allow you to keep the ssl cert locations for httpd, sendmail, imap in one easy to find location,
- The latest git clone even launches it own http to do a quick check to generate/sign the ssl
- Major sponsors include Cisco, mozilla, chrome, gandi.net, ovh among others. Its quite interesting to see such big names support something that would impact the ssl market

Letsencrypt works well on FreeBSD stable. The latest git clone shows work to accommodate the *BSD. I haven't tried it on NetBSD yet. I hope this clarifies some of the misunderstanding about this project. 

Disclaimer: I am not part of the letsencrypt project 

--
L
________________________________________
From: netbsd-users-owner%NetBSD.org@localhost <netbsd-users-owner%NetBSD.org@localhost> on behalf of Swift Griggs <swiftgriggs%gmail.com@localhost>
Sent: Tuesday, March 1, 2016 10:43 AM
To: netbsd-users%netbsd.org@localhost
Subject: Re: create keys and certificates for postfix/tls

On Mon, 29 Feb 2016, Martin Husemann wrote:
> I am currently using free certificates from StartSSL.

Interesting that they even offer such a thing. I had to look them up.

> I looked at letsencrypt, but I couldn't make any sense of it - can
> somebody explain (from an admin point of view) how that is supposed to
> work?

It's a science project, for sure. I was playing with it recently under
FreeBSD. My impression of how it's supposed to work is this:

1. You install a Python script using git.

2. You run the script and it tries to autoconfigure for your system. It's
    a script, so of course, that's mostly going to fail. The script tries
    to detect things like your cert locations in your Apache config. It
    does claim to be able to manage raw certs.

3. The script in conjunction with back-end tools on their site checks
    your domain's TXT records for an x509 special record with some special
    sauce to auth your CSR or whatever.

> Of course I will NOT install arbitrary 3rd party server side software
> (where my server OS isn't even officially supported) to handle
> important things like certificate renewals when it is a very simple
> task to do just once a year.

Their intention is, I believe, for you to run this Python script every day
until the end of time and it'll handle cert updates automagically. They
don't issue certs for any longer than 90 days as far as I can tell. So,
I'm guessing you'll be doing a lot of updating and it'd definitely need to
work. They have a protocol for the crypto ops called ACME. So, I suppose
the Python script is the first (and only?) implementation of that.

> Given all the hype about it, I am sure I must be missing something. What
> is it?

My take is that it's a way to get a quick domain cert if you have control
over your domain's DNS. I don't like the script-approach since it threw
all kinds of warnings and errors, then failed to work under FreeBSD, I'm
guessing it'll fail even worse for NetBSD.

In short, Linux Foundation + overly ambitious python script = meh.

-Swift