Hi all,
I published a blog[1] about the new Let's Encrypt free CA and how it will benefit Free RTC
Has anybody else tried the certificates with any servers for SIP, XMPP or other RTC services?
Has anybody looked at integrating certbot[3] or any of the other tools for automatic certificate renewal?
Regards,
Daniel
1. https://danielpocock.com/lets-encrypt-torpedoes-cost-free-rtc 2. https://letsencrypt.org/ 3. https://certbot.eff.org/
Hi Daniel,
On Tue, Jul 12, 2016 at 03:28:43PM +0200, Daniel Pocock wrote:
Has anybody else tried the certificates with any servers for SIP, XMPP or other RTC services?
Yes, I'm currently using acmetool[1] to fetch LE certificates that are used for Mail and XMPP. Acmetool can execute hook scripts after renewal so it's easy to trigger a reload of prosody/postfix/kamailo etc.
It's very easy to do if the server using a certificate has a A record for the certificate's domain.
So if xmpp.example.com serves XMPP for example.com w/ correct SRV records but the A record for example.com goes elsewhere you need to fetch the certificate on the example.com webserver and not on the XMPP server. It would be nice if LE would support some form of validation that takes the SRV records into account. Maybe stateless mode[2] helps here but I guess that would collide if the webserver uses a different LE account for it's own certificates. Haven't tried that though.
Has anybody looked at integrating certbot[3] or any of the other tools for automatic certificate renewal?
In my experience certbot (the former official LE client) is a huge mess of Python code and a large number of dependencies that is difficult to install and maintain. Also I didn't need/want a LE client to modify my web server configuration, so that's a huge source of complexity in certbot that I didn't need. Otherwise it worked flawlessly for me, although the last version I tried didn't have automatic renewal functionality, I guess that's included now.
So I'm a happy user of acmetool[1] because it's simple to deploy, has extendable renewal functionality out of the box and is very well documented.
Regards, Markus
1. https://github.com/hlandau/acme 2. https://hlandau.github.io/acme/userguide#web-server-configuration-challenges
On 12 Jul 2016, at 15:52, Markus Lindenberg markus@lindenberg.io wrote:
On Tue, Jul 12, 2016 at 03:28:43PM +0200, Daniel Pocock wrote:
Has anybody else tried the certificates with any servers for SIP, XMPP or other RTC services?
Yes, I'm currently using acmetool[1] to fetch LE certificates that are used for Mail and XMPP. Acmetool can execute hook scripts after renewal so it's easy to trigger a reload of prosody/postfix/kamailo etc.
Great to know. Thank you for that hint!
/O
Quoting Daniel Pocock daniel@pocock.pro:
Has anybody else tried the certificates with any servers for SIP, XMPP or other RTC services?
In my company we are using Prosody (XMPP) with LE certs on Debian 8 plus backports. Not automated yet. No problems to report.
On 12 Jul 2016, at 15:28, Daniel Pocock daniel@pocock.pro wrote:
Hi all,
I published a blog[1] about the new Let's Encrypt free CA and how it will benefit Free RTC
Has anybody else tried the certificates with any servers for SIP, XMPP or other RTC services?
I have used it with SIP servers and ejabberd for XMPP. No problems. I would love being able to get certs following the SIP server certificate standard though, or certs with multiple subj alt names.
Has anybody looked at integrating certbot[3] or any of the other tools for automatic certificate renewal?
You don’t really want to integrate certbot, you want to integrate the ACME protocol.
The first level to check is to see if your server application can reload/restart TLS and get new certificates on the fly, without service disruption. As far as I checked both Asterisk and Kamailio can do that, which is a requirement if you need to exchange certificates every third month.
/O
Regards,
Daniel
- https://danielpocock.com/lets-encrypt-torpedoes-cost-free-rtc
- https://letsencrypt.org/
- https://certbot.eff.org/
Free-RTC mailing list Free-RTC@lists.fsfe.org https://lists.fsfe.org/mailman/listinfo/free-rtc