[Triumf-linux-managers] FYI - certbot (was letsencrypt) for CertOS 7, 6
Andrew Daviel
advax at triumf.ca
Wed Nov 30 19:10:03 PST 2016
FYI
As Konstantin reported to DAQ users in August, the EFF project
"letsencrypt" is now available as RPM packages from EPEL.
This provides a way for people to get free SSL certificates chained to a
recognized certificate authority, meaning they won't cause security
pop-ups in a browser.
The LetsEncrypt project is now called "Certbot". The website is
https://certbot.eff.org/
The relevant packages for CentOS 7 are certbot and
python2-certbot-apache.
The application is intended to run unattended, as root, and be capable
of automatically renewing relatively short-lived certificates (a few
months), writing them into the browser configuration.
I have not personally tried automatic mode.
Certbot is not available as as package for earlier CentOS/SL releases.
However, it is available to download directly from
https://dl.eff.org/certbot-auto
That can be made to work on CentOS 6. Probably not 5. Certbot is written
in Python and requires certain other packages such as tix, tkinter,
openssl-devel. Currently, it works with Python 2.6 but will not in
future.
It is possible to run certbot in manual mode, and obtain certificates
for webservers other than the one where the script is run. E.g.
# /root/.local/share/letsencrypt/bin/certbot certonly --manual
To verify ownership of a (sub)domain, it is necessary to place a
text cookie on a webserver running on that domain, in a public URL such
as http://example.com/.well-known/acme-challenge/<random string>
The certbot authenticator then retrieves the cookie before issuing a
certificate, which the user can then place in the website configuration.
If there is no webserver running, certbot gives a recipe to run a simple
Python one. The certificate could be used for non-web protocols such as
LDAP, IMAP, SMTP etc.
Certbot thus offers a viable alternative to the TRIUMF certificate
authority for regular (non-enhanced validation) SSL certificates. But
you get certificates for 90 days, not 3-5 years. You would probably need
to set up the automated renewal process.
Certificates from certbot (or any external CA) are unsuitable for
document signing, code signing, or email signing/encryption, since they
identify a webserver, not a person or company.
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
Network Security Manager
More information about the Triumf-linux-managers
mailing list