Abyss and Letís Encrypt (a new Certificate Authority)

 
Post new topic   Reply to topic    Aprelium Forum Index -> SSL/Certificates
View previous topic :: View next topic  
Author Message
DavidQ
-


Joined: 28 Jan 2009
Posts: 14

PostPosted: Tue Sep 29, 2015 7:02 pm    Post subject: Abyss and Letís Encrypt (a new Certificate Authority) Reply with quote

Hi Aprelium,

I have just heard about Let's Encrypt...

Letís Encrypt is a new Certificate Authority:
Itís free, automated, and open. Arriving Q4 2015
https://letsencrypt.org/

...(more information below FYI) and wondered if you are aware of it and whether you might consider making Abyss automatically handle the creation, use within Abyss and renewal of their free security certificates?

It seems like it will be a good way of https securing a web site hosted in Abyss without much cost or effort.

I will look forward hearing your thoughts on this.

Thanks,

David

More information...

Letís Encrypt is a free, automated, and open certificate authority (CA), run for the publicís benefit. Letís Encrypt is a service provided by the Internet Security Research Group (ISRG). https://letsencrypt.org/isrg/

The key principles behind Letís Encrypt are:

Free: Anyone who owns a domain name can use Letís Encrypt to obtain a trusted certificate at zero cost.

Automatic: Software running on a web server can interact with Letís Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.

Secure: Letís Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.

Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.

Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.

Cooperative: Much like the underlying Internet protocols themselves, Letís Encrypt is a joint effort to benefit the community, beyond the control of any one organization.
Back to top View user's profile Send private message
DavidQ
-


Joined: 28 Jan 2009
Posts: 14

PostPosted: Wed Sep 30, 2015 9:39 am    Post subject: Reply with quote

I found some more information and it looks like multi-domain certificates will be available...

https://community.letsencrypt.org/t/frequently-asked-questions-faq/26
Quote:
Can I get a certificate for multiple domain names?

Yes, the same certificate can apply to several different names using the Subject Alternative Name (SAN) mechanism. The Let's Encrypt client automatically requests certificates for multiple names when requested to do so. The resulting certificates will be accepted by browsers for any of the domain names listed in them.


https://community.letsencrypt.org/t/please-support-multi-domain-ssl-certificates-like-the-ones-on-positivessl/867/4
Quote:
Please support Multi Domain SSL Certificates like...

ilp.moe
stats.ilp.moe
db.ilp.moe
b.ilp.moe
s.ilp.moe
hack.ilp.moe
im.ilp.moe
toaru-anime.tv
stats.toaru-anime.tv
im.toaru-anime.tv
toaru-music.tv
stats.toaru-music.tv
im.toaru-music.tv
toaru-pic.tv
stats.toaru-pic.tv
im.toaru-pic.tv

That list of domains will be fine for Let's Encrypt.
Back to top View user's profile Send private message
DavidQ
-


Joined: 28 Jan 2009
Posts: 14

PostPosted: Fri Jan 15, 2016 5:18 pm    Post subject: Reply with quote

Hi,

It seems that Let's Encrypt entered its public beta phase in December 2015...
https://letsencrypt.org/2015/12/03/entering-public-beta.html

I would really appreciate a reply from Aprelium to my question about the possibility of interfacing with this service from Abyss.

Thanks,

David
Back to top View user's profile Send private message
twotone
-


Joined: 18 Jun 2005
Posts: 10

PostPosted: Tue Feb 09, 2016 8:35 am    Post subject: Reply with quote

I would VERY MUCH like to use let's encrypt with Abyss. Any thoughts on Abyss support for this service. This is a first of it's kind - automatic request, signing, installation, and renewal of certificates - FOR FREE. No more expired certificates and lengthy trouble tickets to get renewals installed.
Back to top View user's profile Send private message
twotone
-


Joined: 18 Jun 2005
Posts: 10

PostPosted: Tue Feb 09, 2016 8:46 am    Post subject: Reply with quote

This guy has created a windows client for IIS.

https://community.letsencrypt.org/t/how-letsencrypt-work-for-windows-iis/2106/30

He has developed a plugin architecture for his client so plugins can be written for other servers (Such as Abyss). How about it? Anyone up to the task of coding a plugin for Abyss for this guys Let's Encrypt windows client? It's definitely beyond my abilities.
Back to top View user's profile Send private message
lazna
-


Joined: 16 Aug 2015
Posts: 20

PostPosted: Fri Feb 19, 2016 11:14 am    Post subject: Reply with quote

+1

Tool for letsencrypt certicate automation for Abyss will be VERY usefull...
Back to top View user's profile Send private message
DavidQ
-


Joined: 28 Jan 2009
Posts: 14

PostPosted: Fri Mar 04, 2016 11:25 am    Post subject: Reply with quote

It's been five months since I posted this question. I also emailed and sent private messages to Aprelium and received no reply.

This makes me wonder if all is well at Aprelium. I do hope so.
Back to top View user's profile Send private message
lazna
-


Joined: 16 Aug 2015
Posts: 20

PostPosted: Sat Mar 26, 2016 4:03 pm    Post subject: Reply with quote

Have serious doubts, unable to found Aprelium SARL in Tunisian commercional registry..

http://www.registre-commerce.tn
Back to top View user's profile Send private message
TRUSTAbyss
-


Joined: 29 Oct 2003
Posts: 3714
Location: USA, GA

PostPosted: Mon Mar 28, 2016 3:41 am    Post subject: Reply with quote

Have a look at this post by Aprelium
http://aprelium.com/forum/viewtopic.php?t=412403
_________________
Computer Programmer & Networking Specialist

Back to top View user's profile Send private message Visit poster's website MSN Messenger
admin
Site Admin


Joined: 03 Mar 2002
Posts: 772

PostPosted: Mon Mar 28, 2016 5:20 pm    Post subject: Reply with quote

lazna wrote:
Have serious doubts, unable to found Aprelium SARL in Tunisian commercional registry..

http://www.registre-commerce.tn


We doubt you did the search using the right form:

* Browse http://www.registre-commerce.tn
* Select "Personne Morale" under "Recherche" in the left panel
* In the displayed form, type "Aprelium" in "Nom commercial"
* Press the "Lancer la Rechecher" button
* You'll get a table with a single row (ours)
* Press on the "eye" icon at the right of the row
* You'll get a page with more details about the company.
_________________
Forum Administrator
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message
admin
Site Admin


Joined: 03 Mar 2002
Posts: 772

PostPosted: Thu Mar 31, 2016 12:15 pm    Post subject: Reply with quote

DavidQ wrote:
I would really appreciate a reply from Aprelium to my question about the possibility of interfacing with this service from Abyss.


ACME protocol support is planned for version 2.12 (Q4/2016.)

ACME is the protocol used to automatically request certificates from certification authorities such as "Let's Encrypt".
_________________
Forum Administrator
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message
lazna
-


Joined: 16 Aug 2015
Posts: 20

PostPosted: Thu Mar 31, 2016 3:56 pm    Post subject: Reply with quote

admin wrote:
lazna wrote:
Have serious doubts, unable to found Aprelium SARL in Tunisian commercional registry..

http://www.registre-commerce.tn


We doubt you did the search using the right form:

* Browse http://www.registre-commerce.tn
* Select "Personne Morale" under "Recherche" in the left panel
* In the displayed form, type "Aprelium" in "Nom commercial"
* Press the "Lancer la Rechecher" button
* You'll get a table with a single row (ours)
* Press on the "eye" icon at the right of the row
* You'll get a page with more details about the company.


I saw this single row, but not discovered the 'eye' is clickable. Than you for step by step guide.

Glad to see my doubts about Aprelium end days are false...

L.
Back to top View user's profile Send private message
DavidQ
-


Joined: 28 Jan 2009
Posts: 14

PostPosted: Fri Apr 01, 2016 3:25 pm    Post subject: Reply with quote

admin wrote:
ACME protocol support is planned for version 2.12 (Q4/2016.)

ACME is the protocol used to automatically request certificates from certification authorities such as "Let's Encrypt".


That is really good news! I will look forward to it.
Back to top View user's profile Send private message
Lithorien
-


Joined: 20 Jun 2004
Posts: 32

PostPosted: Tue Dec 13, 2016 11:37 am    Post subject: Reply with quote

Hi there. Any word on ACME support for Let's Encrypt?
Back to top View user's profile Send private message
Lawrence
-


Joined: 16 Jan 2003
Posts: 203
Location: Brisbane, AU

PostPosted: Thu Dec 29, 2016 7:01 am    Post subject: Reply with quote

Yeah I'm pretty keen on this also, I'd very much like to secure a few pages. ^_^
_________________
[ Please stop confusing your opinion with fact. ]
Back to top View user's profile Send private message Visit poster's website ICQ Number
Daevon
-


Joined: 04 Jul 2009
Posts: 10

PostPosted: Sat Dec 31, 2016 1:59 pm    Post subject: I'd like to see it too! Reply with quote

Thanks Aprelium, and happy new year!
Back to top View user's profile Send private message
DavidQ
-


Joined: 28 Jan 2009
Posts: 14

PostPosted: Tue Feb 21, 2017 8:26 pm    Post subject: Reply with quote

It seems the planned version 2.12 release did not arrive in Q4/2016. However, I'm still really looking forward to ACME protocol support and would appreciate a progress update from Aprelium if possible.

Thanks,

David
Back to top View user's profile Send private message
pkSML
-


Joined: 29 May 2006
Posts: 873
Location: Michigan, USA

PostPosted: Thu Feb 23, 2017 2:40 am    Post subject: Reply with quote

DavidQ wrote:
It seems the planned version 2.12 release did not arrive in Q4/2016. However, I'm still really looking forward to ACME protocol support and would appreciate a progress update from Aprelium if possible.

Thanks,

David

Ditto that! Hope v. 2.12 can come soon with Let's Encrypt functionality.
_________________
Stephen
Need a LitlURL?


http://CodeBin.yi.org
Back to top View user's profile Send private message Visit poster's website
Daevon
-


Joined: 04 Jul 2009
Posts: 10

PostPosted: Sun Feb 26, 2017 1:39 pm    Post subject: Hope Reply with quote

I too hope for that update, but I also wrote support more than a month ago and got no reply whatsoever...:(
Back to top View user's profile Send private message
Lithorien
-


Joined: 20 Jun 2004
Posts: 32

PostPosted: Fri Apr 07, 2017 11:16 pm    Post subject: Reply with quote

Just bumping this up, wondering if there's any response from the support team about ACME support?
Back to top View user's profile Send private message
Lawrence
-


Joined: 16 Jan 2003
Posts: 203
Location: Brisbane, AU

PostPosted: Thu Apr 13, 2017 1:47 am    Post subject: Reply with quote

I'm anxiously waiting for this too. Being able to support the users of my websites with some encryption seems pretty important these days.
_________________
[ Please stop confusing your opinion with fact. ]
Back to top View user's profile Send private message Visit poster's website ICQ Number
Lithorien
-


Joined: 20 Jun 2004
Posts: 32

PostPosted: Fri Apr 14, 2017 11:39 pm    Post subject: Reply with quote

Lawrence wrote:
I'm anxiously waiting for this too. Being able to support the users of my websites with some encryption seems pretty important these days.


I just re-upped for 2 years of support, I'm hoping that a little bit of money might bring them back here to see there are still some users who are willing to pay and who want to see development continue.
Back to top View user's profile Send private message
Lithorien
-


Joined: 20 Jun 2004
Posts: 32

PostPosted: Thu Jul 06, 2017 9:50 pm    Post subject: Reply with quote

Just popping in with an update request: Been a while since we've heard from Aprelium staff about how development is going. Any updates?
Back to top View user's profile Send private message
lazna
-


Joined: 16 Aug 2015
Posts: 20

PostPosted: Sun Jul 09, 2017 10:07 pm    Post subject: Reply with quote

The version 2 of ACME protocol is adding wildcard certificates for subdomains.
Back to top View user's profile Send private message
Daevon
-


Joined: 04 Jul 2009
Posts: 10

PostPosted: Tue Jul 11, 2017 1:06 pm    Post subject: any hope? Reply with quote

I wrote both to contacts and support more than 3 times in the last 14 months, and never got an answer.
Paying users like Lithorien should at least get an answer.. but since none has been given, I fear for the worst...
Back to top View user's profile Send private message
Lithorien
-


Joined: 20 Jun 2004
Posts: 32

PostPosted: Fri Aug 11, 2017 7:35 pm    Post subject: Re: any hope? Reply with quote

Daevon wrote:
I wrote both to contacts and support more than 3 times in the last 14 months, and never got an answer.

Paying users like Lithorien should at least get an answer.. but since none has been given, I fear for the worst...


I was able to get an answer through email through the priority support account, here's the relevant snippet:

Quote:
ACME is on our todo list for a future revision. HTTP/2 support is on
that same list too.

We cannot provide you with an exact ETA for that new version but we
think it could be ready before the end of 2017.


Don't give up hope!
Back to top View user's profile Send private message
pkSML
-


Joined: 29 May 2006
Posts: 873
Location: Michigan, USA

PostPosted: Sat Aug 12, 2017 4:15 am    Post subject: Reply with quote

Hey all. Just wanted to let you know I got Let's Encrypt working with Abyss on Windows! There's a little bit of rig-a-ma-roll to make it happen, but it's not too complicated.

I hope to be posting a better tutorial within a few weeks.

Steps:

  • Download Crypt-LE --> http://litlurl.net/Crypt-LE
    From the latest release, download le32.zip or le64.zip, depending on your operating system (32/64 bit).
  • Extract the zip file to a folder of your choice on your server. It must be a writable directory.
  • In your router, forward TCP port 443 to your server (like you've already done for port 80).
  • For any domain you want to get an SSL certificate, you must create two folders in the web root directory.
    Create a directory called:
    Code:
    .well-known

    Windows Explorer won't allow you to do this. The workaround is to append a period at the end of the directory name.
    For example, type in:
    Code:
    .well-known.

    Create a directory inside the .well-known directory named:
    Code:
    acme-challenge

    You should be able to navigate to YOUR_WEB_ROOT_FOLDER\.well-known\acme-challenge
    Remember: Do this for every domain you want to enable SSL for.
  • Now build your argument list for le32.exe (or le64.exe).
    Here's some code to get started with:
    Code:
    le32.exe
    -key account.key
    -email your_email@server.com
    -csr demo.go2.rip.csr
    -csr-key demo.go2.rip.key
    -crt demo.go2.rip.crt
    -domains "demo.go2.rip,www.demo.go2.rip"
    -generate-missing
    -path "c:\web_docs\demo.go2.rip\.well-known\acme-challenge,c:\web_docs\demo.go2.rip\.well-known\acme-challenge"

    *Change to your email address. This is an optional parameter, but it's for "email for expiration notifications".
    *The parameters key, csr, csr-key, and crt define files that will be created in the folder where le32.exe resides.
    *Note: Every time you create certificates with this program, use the same account.key file.
    *Note: You can specify several domains in the domain parameter. Make sure to put the corresponding path in the path parameter.
    The first domain corresponds to the first path and the second domain corresponds to the second path, etc.
    (In my example, the root domain and www subdomain have the same root.)
  • Take all the arguments after you've altered them (ideally in notepad), and condense them into one line.
    Copy and paste into a command prompt (right-click --> Paste) after you've navigated to the folder with le32.exe.
  • If you receive the following response on your screen, you've set up the parameters correctly:
    Code:
    2017/08/11 22:08:49 [ ZeroSSL Crypt::LE client v0.24 started. ]
    2017/08/11 22:08:49 Loading an account key from account.key
    2017/08/11 22:08:49 Loading a CSR from demo.csr
    2017/08/11 22:08:51 Registering the account key
    2017/08/11 22:08:51 The key is already registered. ID: *******
    2017/08/11 22:08:51 Current contact details: *********@gmail.com
    2017/08/11 22:08:52 Successfully saved a challenge file 'c:\web_docs\demo.go2.rip\.well-known\acme-challenge/2gsfhMM-KekeTxKp373hgOj93mjh3FT7JufPQBmL4VA' for domain 'demo.go2.rip'
    2017/08/11 22:08:52 Successfully saved a challenge file 'c:\web_docs\demo.go2.rip\.well-known\acme-challenge/7KFbbpCFhU5MveHdr60x83yWv3XcfdHYUbhqtsNavKY' for domain 'www.demo.go2.rip'
    2017/08/11 22:08:55 Domain verification results for 'demo.go2.rip': success.
    2017/08/11 22:08:55 You can now delete the 'c:\web_docs\demo.go2.rip\.well-known\acme-challenge/2gsfhMM-KekeTxKp373hgOj93mjh3FT7JufPQBmL4VA' file.
    2017/08/11 22:08:57 Domain verification results for 'www.demo.go2.rip': success.
    2017/08/11 22:08:57 You can now delete the 'c:\web_docs\demo.go2.rip\.well-known\acme-challenge/7KFbbpCFhU5MveHdr60x83yWv3XcfdHYUbhqtsNavKY' file.
    2017/08/11 22:08:57 Requesting domain certificate.
    2017/08/11 22:08:58 Requesting issuer's certificate.
    2017/08/11 22:08:58 Saving the full certificate chain to demo.go2.rip.crt.
    2017/08/11 22:08:58 ===> NOTE: You have been using the test server for this certificate. To issue a valid trusted certificate add --live option.
    2017/08/11 22:08:58 The job is done, enjoy your certificate! For feedback and bug reports contact us at [ https://ZeroSSL.com | https://Do-Know.com ]

  • Important note: This certificate is not the one you want to use!!! The second to last log entry tells us what to do next:
    Quote:
    To issue a valid trusted certificate add --live option.

  • So tack on -live to the argument list (only a single dash as the double dash is for Linux use). Adding -live will alter the .crt file.
    The command prompt should now show similar output:
    Code:
    2017/08/11 22:25:47 [ ZeroSSL Crypt::LE client v0.24 started. ]
    2017/08/11 22:25:47 Loading an account key from account.key
    2017/08/11 22:25:47 Loading a CSR from demo.go2.rip.csr
    2017/08/11 22:25:49 Registering the account key
    2017/08/11 22:25:49 The key is already registered. ID: ********
    2017/08/11 22:25:50 Successfully saved a challenge file 'c:\web_docs\demo.go2.rip\.well-known\acme-challenge/merGFw9B7azpn72vKNNJqMHh4LpS49vduhhU252vaHM' for domain 'demo.go2.rip'
    2017/08/11 22:25:50 Successfully saved a challenge file 'c:\web_docs\demo.go2.rip\.well-known\acme-challenge/1VSyuELTt10xdcYKF5l2Dp-XPY2677XaxTy-mhTyoNI' for domain 'www.demo.go2.rip'
    2017/08/11 22:25:52 Domain verification results for 'demo.go2.rip': success.
    2017/08/11 22:25:52 You can now delete the 'c:\web_docs\demo.go2.rip\.well-known\acme-challenge/merGFw9B7azpn72vKNNJqMHh4LpS49vduhhU252vaHM' file.
    2017/08/11 22:25:55 Domain verification results for 'www.demo.go2.rip': success.
    2017/08/11 22:25:55 You can now delete the 'c:\web_docs\demo.go2.rip\.well-known\acme-challenge/1VSyuELTt10xdcYKF5l2Dp-XPY2677XaxTy-mhTyoNI' file.
    2017/08/11 22:25:55 Requesting domain certificate.
    2017/08/11 22:25:55 Requesting issuer's certificate.
    2017/08/11 22:25:55 Saving the full certificate chain to demo.go2.rip.crt.
    2017/08/11 22:25:55 The job is done, enjoy your certificate! For feedback and bug reports contact us at [ https://ZeroSSL.com | https://Do-Know.com ]

  • Now that we have a full-fledged certificate file, we will now import the SSL certificate into Abyss.
    Load up the Abyss console in your browser.
  • Go to SSL/TLS Certificates.
    In the Private Keys table, click Add.
  • Create a name for this private key.
    Let's call it 'Abyss-LE' for this example.
    Set action to 'Import'.
    Under key contents, insert the contents of demo.go2.rip.key file (the one created with the -csr-key parameter).
    Click OK.
  • Under Certificates, click Add.
    Give it a name. Again, for example, let's use 'Abyss-LE'.
    Choose your 'Abyss-LE' private key.
    Set 'Type' to 'Signed by a Certification Authority (CA)'.
  • Under Main Certificate, open up demo.go2.rip.crt (the file specified in the -crt parameter).
    You'll notice there are two certificates here. Select only the first one and paste it into Main Certificate.
    The second certificate should be pasted in 'Intermediate Certificate'.
    The CA Root Certificate can be blank.
    Click OK.
  • Now navigate to your host and click 'General'.
    Under Protocol, select HTTP+HTTPS.
    Select the certificate you created.
    Click OK.
    (If you specified other domains when you created your SSL certificate, repeat this same procedure and use the same certificate for those hosts.)
  • Restart Abyss. Now you're serving HTTP & HTTPS. Congrats!


_________________
Stephen
Need a LitlURL?


http://CodeBin.yi.org


Last edited by pkSML on Sat Aug 12, 2017 4:29 am; edited 1 time in total
Back to top View user's profile Send private message Visit poster's website
pkSML
-


Joined: 29 May 2006
Posts: 873
Location: Michigan, USA

PostPosted: Sat Aug 12, 2017 4:16 am    Post subject: Reply with quote

Here's another website I've secured with HTTPS in Abyss.




These certificates are good for three months, but you can't renew before 60 days. So I'll have to give an update on how to renew properly when the time comes.

One more thing: To help with debugging, you can test your SSL setup here --> https://www.ssllabs.com/ssltest/.
I highly recommend this before asking, "What did I do wrong?" on the forums :)
And my demo scored an A rating.
(An A+ rating may create compatibility problems for more users.)

_________________
Stephen
Need a LitlURL?


http://CodeBin.yi.org
Back to top View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> SSL/Certificates All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group