Let's Encrypt Updates

Posted by: mstauber Category: General

A recent Let's Encrypt update forced us to overhaul the Let's Encrypt integration of BlueOnyx and Aventurin{e}.

A recent security issue in Let's Encrypt's API has led them to disable the TLS-SNI-01 API for SSL certificate validations. Which used to be a default before. They also released a new CertBot client update to cope with that.

However, that update also disabled support for Python 2.7. Which meant that CertBot would no longer run on EL6 platforms such as our older BlueOnyx 5207R, 5208R and the older Aventurin{e} 6108R.

As we were never really happy with the Python monstrosity of CertBot we replaced it outright with ACME.sh from Neil Pang. ACME is a shell-script without exotic dependencies and offers more reliability and provides fewer headaches than CertBot. So we're certain that this will be a good match for our base-ssl module in both BlueOnyx and Aventurin{e}.

Transitioning from CertBot to having ACME maintain the Let's Encrypt SSL certificates requires some wiggling. The old cronjob that used to do the renewals now still runs. But it hands the LE certs over to ACME by letting ACME do a forced renewal.

This means that during the first night after this update gets installed the Cronjob will try to renew all LE SSL certs one by one via ACME. If it doesn't succeed with some, then it'll try again the next night and so forth until all LE Certs have at least once been renewed via ACME.

You can still run /usr/sausalito/sbin/letsencrypt_autorenew.pl manually to see the expiry dates of all Let's Encrypt certificates and to trigger a certificate renewal if you wish.

However: The automatic renewals of certificates close to their expiry should now work with a greater reliability.

Updated base-ssl-* RPMs are now available via YUM for the following platforms:

Jan 23, 2019 Category: General Posted by: mstauber
Previous page: Development Next page: Mailing List