Easily generating TLS certificates for the rest of your stuff
In May of 2024, we rolled out automatic TLS for all member sites. Reaction to this has been extremely positive.
However, that’s not the only place where Let’s Encrypt and automatic certificates are useful.
Do you have any web servers running at home (or work) on a private network running behind your NAT?? How about a home automation server, a self-hosted cloud server, or a home surveillance system? Anything that is using HTTP instead of HTTPS because they’re not (and shouldn’t be!) visible from the Internet and therefore can’t get a certificate from Let’s Encrypt the usual way. Or maybe you have something, Internet connected or otherwise, that could be secured with TLS but doesn’t use HTTPS at all.
Let’s Encrypt (and the ACME protocol generally) have an option for this. There’s a type of challenge called dns-01 where you use custom DNS records to prove right to request a certificate instead of web-based verification. But it’s kind of a pain to use.
Coincidentally, NearlyFreeSpeech.NET offers an API that allows you to create custom DNS records if we’re providing your DNS service. It’s… also kind of a pain to use.
But we have software for working with the ACME protocol. And we have software for working with our API. So… let’s make some chocolate peanut butter cups here!
We have released easy-le-dns-01 as open source on GitHub. This tool makes it easy to generate certificates using Let’s Encrypt and our API.
How easy?
This easy:
YourPrompt$ php bin/easy-le-dns-01.php an.example.org
The Let's Encrypt Terms of Service can be found at:
https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf
Do you agree to the Let's Encrypt Terms of Service [y/n]? y
Let's Encrypt requires a contact email address to send updates about
expiration and suchlike.
What email address should they use? lets-encrypt@example.org
Enter your NFSN Member Login: username
Enter your NFSN API Key: api-key-from-profile-panel
Save API Key to configuration file? y
All set!
YourPrompt$ ls -l data/an.example.org.pem
-rw-r--r-- 1 username group 3220 Sep 25 21:38 an.example.org.pem
The an.example.org.pem
file contains the key, the certificate, and the needed chain certificates. It’s ready to be dropped into whatever you want to use it for. (Since the details of that vary by application, it is left as an exercise for the reader.)
And when it’s time to renew or get additional certificates, it’s even easier:
YourPrompt$ php bin/easy-le-dns-01.php another.example.org
All set!
YourPrompt$ ls -l data/another.example.org.pem
-rw-r--r-- 1 username group 3220 Sep 25 21:42 another.example.org.pem
Hard to get much easier than that!
You do still have to deploy the certificate to whatever device you’re planning to use it on. But the goal here is to make it easy to generate manually the first time and then trivial to automate for renewal.
It also supports the generation of wildcard certificates like, to pick an example completely at random, *.nfshost.com
. That’s likely more important to us than it is to most people, but you never know!
This project is released under an MIT license and is free to use for any purpose. This code is new, and there may be some bugs, but it’s built on top of the code we’ve used to manage hundreds of thousands of certificates so it has a pretty decent foundation.
This probably isn’t going to be a huge deal for most people, but we use this functionality ourselves (at work and at home) and we’re hoping that having access to it will make life better for some of our members as well.
If there is demand, a future update may support requesting certificates that contain alternative names.
No Comments yet »
RSS feed for comments on this post. TrackBack URI
Leave a comment
Entries and comments
feeds.
Valid XHTML and CSS.
Powered by WordPress. Hosted by NearlyFreeSpeech.NET.