Let’s Encrypt – Certificate’s

Why Encryption is important? Read https://spreadprivacy.com/what-does-https-do. It explains why sniffing on the line can only be mitigated by using encryption wherever possible.

As of the IPv6 bug, I can currently not use Let’s Encrypt to automatically refresh my certificates on my servers. My network is behind a IPv6 only stack, IPv4 cannot be connected/routed from the outside without a tunnel provider.

https://github.com/certbot/certbot/issues/1466#issuecomment-299934637, https://github.com/certbot/certbot/issues/1466#issuecomment-288149887, replaced by https://github.com/certbot/certbot/pull/4773

My actual workaround is to use the AAA records of my domain to store a key value generated by Let’s Encrypt to verify my domains. With this manual workaround I can at least generate a new and/or update a certificate. This workaround should not be required anymore since certbot 0.15.

Certbot

Installation:

sudo pacman -Sy certbot
sudo nano /etc/letsencrypt/cli.ini
            # This is an example of the kind of things you can do in a configuration file.
            # All flags used by the client can be configured here. Run Certbot with
            # "--help" to learn more about the available options.

            # Use a 4096 bit RSA key instead of 2048
            rsa-key-size = 4096

            # Uncomment and update to register with the specified e-mail address
            # you will get automatic e-mail notifications if the certificate expires 20 and 10 days upfront
            email = admin@DOMAINNAME.com

            # Uncomment and update to generate certificates for the specified
            # domains.
            # domains = example.com, www.example.com
            domains = DOMAINNAME.com,www.DOMAINNAME.com,ipv4.DOMAINNAME.com,ipv6.DOMAINNAME.com

            # Uncomment to use a text interface instead of ncurses
            # text = True

            # Uncomment to use the standalone authenticator on port 443
            # authenticator = standalone
            #standalone-supported-challenges = tls-sni-01
            preferred-challenges = tls-sni-01

            # Uncomment to use the webroot authenticator. Replace webroot-path with the
            # path to the public_html / webroot folder being served by your web server.
            # authenticator = webroot
            # webroot-path = /usr/share/nginx/html
            
            # Terms of Use. Accept LE terms of use: Default: False
            # agree-tos = True

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.