I'm a big fan of Let's Encrypt (free, widely trusted SSL certificates) but not a big fan of most of the client software available for requesting and renewing certificates. Unlike a typical certificate authority, Let's Encrypt doesn't have a webui for requesting/renewing certs; everything is driven via an automated process that is run between a Let's Encrypt software client and the Let's Encrypt web service.
Since the protocols that Let's Encrypt uses are standards-based, there are many open source clients available. Being security conscious, I have a few concerns with most of the clients:
- Complication. Many of the clients are hundreds of lines long and unnecessarily complicated. This makes the code really hard to audit and since this code is playing with my crypto key material, I do want to audit it.
- Elevated privilege. At least one of the clients I saw required root permission. That's a non starter.
I can't remember how, but I discovered a very clean, very simple client called acme-tiny at github.com/diafygi/acme-tiny. This script was obviously written by someone who shares the same concerns as I do and I highly recommend it to others.
I used acme-tiny to request my initial certificates — and it worked very well for that — but I didn't quite like how renewals worked. Since acme-tiny works on a single domain at a time, I would have to create multiple crontab entries to cover all of my domains. I also didn't want to manage my list of domains that needed renewal in a crontab.
In keeping with my security concerns, I wrote a simple, non-privileged shell script which wraps acme-tiny and makes renewals simple and automatic. The script as well as detailed instructions are here: github.com/knightjoel/acme-tiny-cron-renew.
An example of the script run:
le@server% cat /etc/ssl/lets_encrypt_domains.txt packetmischief.ca le@server% ls -l /etc/ssl/packetmischief.ca.bundle.crt -rw-rw-r-- 1 root le 0 Mar 8 08:51 /etc/ssl/packetmischief.ca.bundle.crt le@server% ./le_renew_certs.sh +++ Renewing packetmischief.ca Parsing account key... Parsing CSR... Registering account... Already registered! Verifying packetmischief.ca... packetmischief.ca verified! Verifying www.packetmischief.ca... www.packetmischief.ca verified! Signing certificate... Certificate signed! +++ Installing certificate for packetmischief.ca Checking validity... Valid certificate file. Installed updated certificate bundle as /etc/ssl/packetmischief.ca.bundle.crt