Let's Encrypt automated certificate support?

[pantheis]

As a feature enhancement, would it be possible to add automated Let's Encrypt (https://letsencrypt.org/) support? This would provide legitimate signed certificates in a completely automated and easy to use way, helping to keep our minecraft admin secure.

Thoughts?

[hexparrot]

It's unlikely that I'll add this service to the workflow of installing MineOS for a few reasons. First and foremost, it requires external internet connectivity. This version of MineOS--while severely crippled without internet--can operate entirely on LAN, without internet. Adding this, whether internet is not connected or otherwise just temporary connectivity issues, raises questions about what will actually happen if the LetsEncrypt client can't phone home.

Secondly, creating a self-signed SSL is a single command that 100% works on all *nix platforms, BSD, Linux, etc., which makes for a much more consistent installation experience.

Lastly, almost 99% of traffic going to the webserver area of MineOS are admins, who get the benefit of the self-signed cert. In all ways, a self-signed cert is as SAFE AND SECURE as an issued cert, though it just feels less good, because of browser warnings.

That said, I'm going to try out this service myself and see what it'll take to get it working and provide after-the-installation instructions probably for both Python and NodeJS versions so it can still be used to full effect. Will return shortly.

Edit: And oh yeah! not everybody has/will get a domain name. This LetsEncrypt is pretty great though! Applying it to the MineOS website!

[leoherzog]

Thanks for looking into this, William! I would love to see this as an option.

[pantheis]

Hexparrot, thanks for entertaining the idea of adding Let's Encrypt support. I wouldn't expect it to replace the self-signed certificate as there are many valid reasons why that would be "good enough", but for those of us who have a legitimate domain, are on the internet, and want a certificate backed by a trusted root, Let's Encrypt seems like the perfect solution for a seamless, no hassle, and low to zero maintenance free certificate.

[MrTechGadget]

I also would like to see this option. I currently use startssl.com for a free server cert. It is not a big pain to register and update the certificate, but letsencrypt makes this even easier. That said, not sure if the correct person to integrate this is hexparrot or hiawatha I am using mineos on my ubuntu server, and I plan on testing this out in the next few weeks and will report back. There is an easy tutorial here, https://www.hiawatha-webserver.org/forum/topic/2085 12 November 2015 post by Virgin Steele.

It is only a few commands, not sure if I would want the functionality to replace server certs in the webui, it could open the door for MITM attacks.

[leoherzog]

Hiawatha is not used in MineOS; Python is answering the HTTP requests directly. Hiawatha used to be used as the web server to serve up map render tiles from Pigmap/Overviewer.

[hexparrot]

Well, here's a few points to chew on when it comes to Let's Encrypt.

First and most importantly, a LetsEncyrpt.com SSL is the same as a self-signed SSL in terms of functionality. Any security benefit conferred from an SSL will happen whether it has a Certification Authority chain or not. There are no new exploits available from using one that the other circumvents. What the CA offers (in conventional wisdom) is the promise that whom you are communicating with is exactly who you expect it to be.

Secondly, MineOS already is designed to use a LetsEncrypt certificate. Both in the Python version or the Node version, both have easy configuration in mineos.conf. With a working certificate in-hand, literally the only step you need to do is change mineos.conf to reflect your issued certs' filenames.

Thirdly, MineOS will never switch to LetsEncypt over a self-signed. Less than 1% of MineOS users have a domain for which this will work, so LetsEncrypt is good only for a tiny minority--I like the idea of a security-chain-verified browser, too, so that's why I want to accommodate LetsEncrypt, but let's address one last thing:

MineOS doesn't need to "support" LetsEncrypt, just like MineOS doesn't need to "support" Godaddy or Network Solutions. An SSL is an SSL and the only requirement of MineOS in SSLs is making sure it can utilize it. LetsEncrypt is a unique CA; mostly because it's free, but also because they offer such unique alternatives for issuance: not needing to verify who you are. That lends for opportunities like the "Webroot installation." Let me clarify: only the webroot approach (one of many ways to get a cert) requires modifications to MineOS or a knowledge of CherryPy or NodeJS that most people don't have. But more importantly, the webroot approach is not required in order to get a LE cert, which means that one could use the instructions on the LE website without MineOS even installed and get issued a cert--and when ready, modify the mineos.conf and be done.

So the main takeaway is--the TLDR--you can acquire a LetsEncrypt certificate right now, at this very moment, without any changes to MineOS--using only the instructions from LetsEncrypt.org. You also can utilize that cert merely by updating mineos.conf

But yes, the initial request is for automated support, which isn't likely, I'd wager. There's just too many variables in play that would needlessly add complexity to my codebase or to people in general (who don't have/want such a cert).

[ls-1N]

Does anyone know which filenames are needed for this in mineos.conf? I pasted my .key and .crt to ssl_private_key and ssl_certificate, but do I also need ssl_cert_chain? I tried adding chain as well, but still don't know how to make it work.