Easily generating TLS certificates for the rest of your stuff
In May of 2024, we rolled out automatic TLS for all member sites. Reaction to this has been extremely positive.
However, that’s not the only place where Let’s Encrypt and automatic certificates are useful.
Do you have any web servers running at home (or work) on a private network running behind your NAT?? How about a home automation server, a self-hosted cloud server, or a home surveillance system? Anything that is using HTTP instead of HTTPS because they’re not (and shouldn’t be!) visible from the Internet and therefore can’t get a certificate from Let’s Encrypt the usual way. Or maybe you have something, Internet connected or otherwise, that could be secured with TLS but doesn’t use HTTPS at all.
Let’s Encrypt (and the ACME protocol generally) have an option for this. There’s a type of challenge called dns-01 where you use custom DNS records to prove right to request a certificate instead of web-based verification. But it’s kind of a pain to use.
Coincidentally, NearlyFreeSpeech.NET offers an API that allows you to create custom DNS records if we’re providing your DNS service. It’s… also kind of a pain to use.
But we have software for working with the ACME protocol. And we have software for working with our API. So… let’s make some chocolate peanut butter cups here!
We have released easy-le-dns-01 as open source on GitHub. This tool makes it easy to generate certificates using Let’s Encrypt and our API.
How easy?
This easy:
YourPrompt$ php bin/easy-le-dns-01.php an.example.org
The Let's Encrypt Terms of Service can be found at:
https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf
Do you agree to the Let's Encrypt Terms of Service [y/n]? y
Let's Encrypt requires a contact email address to send updates about
expiration and suchlike.
What email address should they use? lets-encrypt@example.org
Enter your NFSN Member Login: username
Enter your NFSN API Key: api-key-from-profile-panel
Save API Key to configuration file? y
All set!
YourPrompt$ ls -l data/an.example.org.pem
-rw-r--r-- 1 username group 3220 Sep 25 21:38 an.example.org.pem
The an.example.org.pem file contains the key, the certificate, and the needed chain certificates. It’s ready to be dropped into whatever you want to use it for. (Since the details of that vary by application, it is left as an exercise for the reader.)
And when it’s time to renew or get additional certificates, it’s even easier:
YourPrompt$ php bin/easy-le-dns-01.php another.example.org
All set!
YourPrompt$ ls -l data/another.example.org.pem
-rw-r--r-- 1 username group 3220 Sep 25 21:42 another.example.org.pem
Hard to get much easier than that!
You do still have to deploy the certificate to whatever device you’re planning to use it on. But the goal here is to make it easy to generate manually the first time and then trivial to automate for renewal.
It also supports the generation of wildcard certificates like, to pick an example completely at random, *.nfshost.com. That’s likely more important to us than it is to most people, but you never know!
This project is released under an MIT license and is free to use for any purpose. This code is new, and there may be some bugs, but it’s built on top of the code we’ve used to manage hundreds of thousands of certificates so it has a pretty decent foundation.
This probably isn’t going to be a huge deal for most people, but we use this functionality ourselves (at work and at home) and we’re hoping that having access to it will make life better for some of our members as well.
If there is demand, a future update may support requesting certificates that contain alternative names.
No Comments yet »
RSS feed for comments on this post. TrackBack URI
Leave a comment
Categories:
- Beta
(9)
- Humor (3)
- Miscellaneous (3)
- Network Status (23)
- News & Announcements (76)
- Policy Changes (12)
- Politics & Legal (9)
- Tips & Tricks (7)
- Uncategorized (1)
- Updates & Upgrades (62)
Archives:
- September 2025 (1)
- July 2025 (1)
- March 2025 (1)
- May 2024 (1)
- December 2023 (1)
- August 2023 (1)
- July 2023 (1)
- January 2022 (1)
- January 2021 (1)
- December 2019 (1)
- February 2018 (1)
- September 2017 (1)
- February 2016 (1)
- June 2015 (1)
- May 2015 (1)
- March 2015 (1)
- December 2014 (1)
- November 2014 (1)
- September 2014 (1)
- August 2014 (2)
- July 2014 (1)
- April 2014 (1)
- February 2014 (1)
- December 2013 (1)
- September 2013 (2)
- December 2012 (1)
- October 2012 (1)
- July 2012 (1)
- January 2012 (2)
- December 2011 (1)
- November 2011 (1)
- August 2011 (1)
- April 2011 (1)
- March 2011 (1)
- February 2011 (1)
- November 2010 (2)
- July 2010 (1)
- June 2010 (1)
- April 2010 (1)
- March 2010 (2)
- November 2009 (2)
- August 2009 (1)
- July 2009 (1)
- June 2009 (3)
- March 2009 (1)
- February 2009 (1)
- November 2008 (2)
- October 2008 (1)
- September 2008 (3)
- May 2008 (3)
- April 2008 (5)
- February 2008 (2)
- December 2007 (1)
- September 2007 (4)
- July 2007 (1)
- June 2007 (2)
- April 2007 (2)
- March 2007 (2)
- February 2007 (2)
- January 2007 (4)
- December 2006 (1)
- November 2006 (7)
Entries and comments feeds.
Valid XHTML and CSS.
Powered by WordPress. Hosted by NearlyFreeSpeech.NET.