Let's Encrypt Support

Software SW tweaks
9

I’ve used the https://acme.sh
I would recommend against using acme-tiny as it does not resolve intermediate certificates, which are integral part of certificate configuration.

If you want to use Let’s Encrypt for the TurrisOS web interface (Foris and LuCI), you’ll probably hit an issue of not being able to fulfil authentication challenges, which would be routed into the Foris.

This can be fixed by moving the foris interface into a subdirectory – in file /etc/config/foris

config config 'server'
    option scriptname '/foris'

You can then add a simple redirection to the webroot, to restore old behaviour:

# cat /www/index.html 
<doctype html>
<html>
 <head>
  <meta http-equiv="refresh" content="0;url=/foris/">
  <title>Turris Omnia</title>
 </head>
 <body>
  <a href="/foris">Foris</a>
 </body>
</html>

You will also need a script to reload the lighttpd webserver after issuance of a certificate (don’t forget to make it executable):

# cat .acme.sh/lighttpd-reload.sh 
#!/bin/sh
DOMAIN="<your domain name>"
BASE="/root/.acme.sh/$DOMAIN/$DOMAIN"

cat ${BASE}.key ${BASE}.cer > ${BASE}-bundle.pem
/etc/init.d/lighttpd reload

I keep the TLS configuration of Lighttpd in separate file:

# cat /etc/lighttpd/ssl.inc 
    ssl.engine = "enable"
    ssl.pemfile = "/root/.acme.sh/<domain>/<domain>-bundle.pem"
    ssl.ca-file = "/root/.acme.sh/<domain>/ca.cer"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
    ssl.cipher-list = "EDH+CAMELLIA:EDH+aECDSA:EECDH+aECDSA+AESGCM:EECDH+aECDSA+SHA384:EECDH+aECDSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"
    ssl.honor-cipher-order = "enable"

…which is included from the main config file…

# cat /etc/lighttpd/conf.d/ssl-enable.conf
$SERVER["socket"] == "0.0.0.0:443" {
        include "ssl.inc"
}

$SERVER["socket"] == "[::]:443" {
        include "ssl.inc"
}

Then, the issuance of a certificate should go like this:

# /root/.acme.sh/acme.sh --issue -w /www/ --reloadcmd  /root/.acme.sh/lighttpd-reload.sh --keylength ec-256 -d <domain>