Switching to letsencrypt: Experiences with the closed beta program

On 2015-11-04, I was very happy to find a Let's Encrypt closed beta invitation in my inbox - only to find out that you had to add in every subdomain separately, and I only registered my top-level domains and www. >.< It only took a week to get my subdomains whitelisted, too, though.


So then I could finally get all my certificates! Which is, in theory, as simple as downloading the Let's Encrypt script and executing:

./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory auth

which generates your certificates in /etc/letsencrypt. You need to shortly disable your web server though, as the script binds to the http port for the domain verification.

Also, the script depends on python packages in versions from Debian Jessie. As my main server is still running Wheezy for reasons™, I had to upgrade many python related packages to Jessie for the script to work. Not very nice, I should really do the full upgrade to Jessie soon. Then, I was on to changing each and every config file of all the services to use the letsencrypt certificates instead of my old CAcert ones.

The next problem I ran into was that the certificates are only root-accessible by default, but prosody and mumble try to get user-level acces. I fixed that by changing the group of /etc/letsencrypt to ssl-certs, intended by Debian for that, and made it sticky so this hopefully will survive certificate renewals. Maybe the installer will do that by default in the future.

After a few days of testing, I activated nginx forwards to https:// for all sites hosted here, and enabled HSTS, because I'm quite sure now Let's Encrypt will work out for me. If you can read this, everything is still fine. ;)

The future?

I decided against HPKP, because I'm not sure what would be the right thing here as the certificates are only valid for 90 days, and I don't think one can get spare ones for the future currently. I'll wait until there's a recommended way of doing that with Let's Encrypt. Maybe the only thing that really makes sense is to pin it to the main and backup Let's Encrypt CAs and not my actual keys?

Also, DANE (combined with DNSSEC) would more or less eliminate the need for HPKP and also work for other protocolls than http. The problem here is similar, but not as hard: How to automatically update the keys of my DNS zone? This will probably be much easier when I host my own authoritative DNS server, or maybe Let's Encrypt will come up with a standard way to automate that, too. But in any case, I'll have wait for my DNS registrar to fully support DNSSEC - which will happen soon, hopefully.


Get your Let's Encrypt certificates today! \o/ (By which I mean, wait until the end of next week, when the public beta starts on 2015-12-03.) It's really simple if you don't still run Wheezy, it's much less hassle than having your own CA or copy&pasting certificate signing requests like with ”regular CAs“ as CAcert, and the certificates are accepted by each and every device in the world or so (and it also makes the GoogleBot happyeven more ;) ).

Remarks? Additions? Corrections? For anything you want to tell me about this blog post, feel free to send me an email.
Despite having no comments section (isn't that easy with a static site generator and without relying on a proprietary 3rd party service), I greatly appreciate direct feedback. ;) In case of additions, I'll mention the name from the mail if you don't object.