Let's Encrypt Support

Is there a good place where people can start contributing patches? I’m sure there are a number of people, like myself, that would be interested in helping with features.

1 Like

This would be great.

there is already an acme-client in openWrt-packages: https://github.com/openwrt/packages/tree/master/net/acme

As Let’s Encrypt requires control of the domain without any prefix this may get a bit hard for the average user. Subdomains like used for dynamic dns services are not able to validate. And you server hosting your domain probably has already support using letsencrypt.sh or certbot or some other acme client.

Edit: letsencrypt allows for subdomains in the public suffix list which includes at least no-ip.

Is there any beginners guide how to install it on Turris Omnia? I am stuck on adding https://github.com/openwrt/packages to packages repository to Omnia.

I used https://github.com/diafygi/acme-tiny - it’s a small python script without any dependencies. I’m running the nginx server in lxc (alpine) in dmz and I didn’t want to install python there. So I generated and saved the cert directly into the lxc path from omnia. On the url there are pretty detailed instructions.

Of course you need to enable port 80 and set up port forwarding if you want to run it from lxc like I do.

I’ve used the https://acme.sh
I would recommend against using acme-tiny as it does not resolve intermediate certificates, which are integral part of certificate configuration.

If you want to use Let’s Encrypt for the TurrisOS web interface (Foris and LuCI), you’ll probably hit an issue of not being able to fulfil authentication challenges, which would be routed into the Foris.

This can be fixed by moving the foris interface into a subdirectory – in file /etc/config/foris

config config 'server'
    option scriptname '/foris'

You can then add a simple redirection to the webroot, to restore old behaviour:

# cat /www/index.html 
<doctype html>
<html>
 <head>
  <meta http-equiv="refresh" content="0;url=/foris/">
  <title>Turris Omnia</title>
 </head>
 <body>
  <a href="/foris">Foris</a>
 </body>
</html>

You will also need a script to reload the lighttpd webserver after issuance of a certificate (don’t forget to make it executable):

# cat .acme.sh/lighttpd-reload.sh 
#!/bin/sh
DOMAIN="<your domain name>"
BASE="/root/.acme.sh/$DOMAIN/$DOMAIN"

cat ${BASE}.key ${BASE}.cer > ${BASE}-bundle.pem
/etc/init.d/lighttpd reload

I keep the TLS configuration of Lighttpd in separate file:

# cat /etc/lighttpd/ssl.inc 
    ssl.engine = "enable"
    ssl.pemfile = "/root/.acme.sh/<domain>/<domain>-bundle.pem"
    ssl.ca-file = "/root/.acme.sh/<domain>/ca.cer"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
    ssl.cipher-list = "EDH+CAMELLIA:EDH+aECDSA:EECDH+aECDSA+AESGCM:EECDH+aECDSA+SHA384:EECDH+aECDSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"
    ssl.honor-cipher-order = "enable"

…which is included from the main config file…

# cat /etc/lighttpd/conf.d/ssl-enable.conf
$SERVER["socket"] == "0.0.0.0:443" {
        include "ssl.inc"
}

$SERVER["socket"] == "[::]:443" {
        include "ssl.inc"
}

Then, the issuance of a certificate should go like this:

# /root/.acme.sh/acme.sh --issue -w /www/ --reloadcmd  /root/.acme.sh/lighttpd-reload.sh --keylength ec-256 -d <domain>

I seem not to be able to issue certificates by dns verification, I get:

[Wed Nov 30 20:44:46 CET 2016] Register account Error: {"type":"urn:acme:error:malformed","detail":"Parse error reading JWS","status": 400}
[Wed Nov 30 20:44:46 CET 2016] Please check log file for more details: /root/.acme.sh/acme.sh.log

Can anybody verify this?

I can confirm your issue with current version 2.6.5 of acme.sh. With version 2.5.3, which I am still using, it works normally. So there is probably some regression in acme.sh.

EDIT: This is the commit that is breaking it. Unfortunatelly it’s a mega commit changing everything everywhere :frowning:

Seems that it is fixed in the git HEAD, so I am sticking with it for now.

Hey - it’s been 20 months since your reply.
How far have you proceeded on this topic?

Note: Martin is no longer on the Turris team. (I don’t know their plans on this.)

1 Like

@vcunat: Thanks.

@Ondrej_Caletka: What are your further plans on that topic? I think this would be a prestigious Milestone to have for Turris Omnia. It’s already build into several systems to just enter the domain (e.g. Synology, Qnap) in order to get the certificate issued - if Turris Omnia was capable of automatically open/close necessary ports (being a router that’s more easily to implement - other systems can’t do that atm) only when required, that would be brilliant!

I’m confident that Ondřej Caletka has never been in the official team, though anyone can implement stuff and send a merge request :slight_smile: /cc @Vaclav; he might know or find out the current plans.

2 Likes

Hello @ssdnvv,

I am using Let’s Encrypt on my Turris router for more than year, which is long enough to completely forget about any issues that were on the way. I use acme.sh. The most painful blocker was the Foris interface occupying the whole webroot, but this problem is now gone with some update that happened a few months ago. So now I think it should be quite straightforward.

If you have any concrete issue, feel free to ask. Packaging it into a simple package would be a nice feature, however, we have to somehow tell the ACME client which hostname we want certificates for (by some UCI variable maybe).

3 Likes

@Ondrej_Caletka … could you put some article about it to the community documentation?
It would be great and useful for other users and members of Turris community (in Czech too).
Thank you in advance :slight_smile:

4 Likes

@Ondrej_Caletka: I can only repeat @Nones request - would you kindly put up an how-to article?

1 Like

Try this one:
https://forum.turris.cz/t/lets-encrypt-how-to/4110

1 Like

I took some inspiration from the various documentation and posts hanging around and put it all together as part of this repo: https://github.com/davidjb/turris-omnia-tls. This setup aims to simplify the configuration, improve TLS security, and use the Acme.sh client’s hooks as much as possible. Suggestions/pull requests are welcome.

1 Like

Please continue discussion here: