From 6e869009e58224259df8845dec67910b19e0443e Mon Sep 17 00:00:00 2001
From: Andreas Baumann <mail@andreasbaumann.cc>
Date: Thu, 1 Feb 2018 22:19:40 +0100
Subject: added HOWTO.LetsEncrypt

---
 static/howtos/HOWTO.LetsEncrypt | 116 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 116 insertions(+)
 create mode 100644 static/howtos/HOWTO.LetsEncrypt

diff --git a/static/howtos/HOWTO.LetsEncrypt b/static/howtos/HOWTO.LetsEncrypt
new file mode 100644
index 0000000..3d5c630
--- /dev/null
+++ b/static/howtos/HOWTO.LetsEncrypt
@@ -0,0 +1,116 @@
+1) The official packages in EPEL are broken (at least I was unable to install them).
+
+2) Guide on https://www.svennd.be/lets-encrypt-with-centos-6-7/
+
+https://acme-v01.api.letsencrypt.org:443 "POST /acme/new-reg HTTP/1.1" 500 109
+Received response:
+HTTP 500
+Server: nginx
+Content-Type: application/problem+json
+Content-Length: 109
+Boulder-Request-Id: c77q1COmALMLIgG9WxjOUsXmj0UN9dt4oUWEe-S_Su0
+Replay-Nonce: x5MSSJadipC0jW_qyG7XN8wGBjeNn3eF5bbTe2ciwYM
+Expires: Wed, 09 Aug 2017 05:23:01 GMT
+Cache-Control: max-age=0, no-cache, no-store
+Pragma: no-cache
+Date: Wed, 09 Aug 2017 05:23:01 GMT
+Connection: close
+
+{
+  "type": "urn:acme:error:serverInternal",
+  "detail": "Error creating new registration",
+  "status": 500
+}
+Storing nonce: x5MSSJadipC0jW_qyG7XN8wGBjeNn3eF5bbTe2ciwYM
+Exiting abnormally:
+Traceback (most recent call last):
+  File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
+    sys.exit(main())
+  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/main.py", line 753, in main
+    return config.func(config, plugins)
+  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/main.py", line 598, in run
+    le_client = _init_le_client(config, authenticator, installer)
+  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/main.py", line 390, in _init_le_client
+    acc, acme = _determine_account(config)
+  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/main.py", line 375, in _determine_account
+    config, account_storage, tos_cb=_tos_cb)
+  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/client.py", line 165, in register
+    regr = perform_registration(acme, config)
+  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/client.py", line 195, in perform_registration
+    return acme.register(messages.NewRegistration.from_data(email=config.email))
+  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 97, in register
+    response = self.net.post(self.directory[new_reg], new_reg)
+  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 682, in post
+    return self._post_once(*args, **kwargs)
+  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 695, in _post_once
+    return self._check_response(response, content_type=content_type)
+  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 582, in _check_response
+    raise messages.Error.from_json(jobj)
+Error: urn:acme:error:serverInternal :: The server experienced an internal error :: Error creating new registration
+An unexpected error occurred:
+The server experienced an internal error :: Error creating new registration
+Please see the logfiles in /var/log/letsencrypt for more details.
+
+and installs half of Python bullshit onto machine!
+
+This is no way, compare to acme_client on OpenBSD.
+
+3) https://kristaps.bsd.lv/acme-client/
+
+yum install openssl-devel libbsd-devel gnutls-devel
+wget https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.6.0.tar.gz
+#build libreesl to /usr/local/
+make
+make install
+# follow https://spin.atomicobject.com/2016/09/20/openbsd-acme-client-lets-encrypt/
+cat >/etc/ld.so.conf.d/local.conf <<EOF
+/usr/local/lib/    
+EOF
+ldconfig
+
+wget -O /etc/ssl/cert.pem 'https://raw.githubusercontent.com/libressl-portable/openbsd/master/src/lib/libcrypto/cert.pem'
+
+acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:connection", "detail": "DNS problem: query timed out looking up A for www.eurospider.com", "status": 400 }, "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/x0oE6rQYMBh6qQIisSzqZecrRFkED-7u7Y-vuid5kKw/1713819082", "token": "IzPOcU-2sFKk65DAk3egE1g2j17f9K3V_pcG0KvrfjQ", "keyAuthorization": "IzPOcU-2sFKk65DAk3egE1g2j17f9K3V_pcG0KvrfjQ.xbEUn0BT4rXH5TjxcmmW1Yjoyb1GWDrQEByNfXawgRc", "validationRecord": [ { "url": "http://www.eurospider.com/.well-known/acme-challenge/IzPOcU-2sFKk65DAk3egE1g2j17f9K3V_pcG0KvrfjQ", "hostname": "www.eurospider.com", "port": "80", "addressesResolved": [], "addressUsed": "", "addressesTried": [] } ] }] (792 bytes)
+
+CNAME DNS entries don't work, so we must provide the real machine as primary host,
+everything else as SANs.
+
+acme-client -v -n -N -F -b -e \
+	-C /var/www/acme \
+	-c /etc/ssl/acme \
+	-k /etc/ssl/acme/private/privkey.pem \
+	-f /etc/acme/privkey.pem www.eurospider.com eurospider.com innobib.news www.innobib.news www.tenders.ch 
+
+-b create backups
+-F is to update even if the current certificate is still valid
+-e is needed to avoid revocation and expanding the list of SANs.
+
+webserver:
+
+main http.conf:
+
+<Directory "/var/www/acme/.well-known/">
+        Options None 
+        AllowOverride None
+        Order Deny,Allow
+        Allow from All
+        Header add Content-Type text/plain
+</Directory>
+
+for every domain we want a certificate for (in the non-SSL-version of the virtual
+host configuration):
+
+Alias /.well-known/acme-challenge/ /var/www/acme/
+
+        RewriteEngine On
+        RewriteCond %{HTTPS} !=on
+        RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
+        RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
+
+
+links
+-----
+
+https://www.metachris.com/2015/12/comparison-of-10-acme-lets-encrypt-clients/
+https://medium.com/chris-opperwall/using-acme-client-for-letsencrypt-on-freebsd-db0ee643ef1f
+
-- 
cgit v1.2.3-54-g00ecf