search

hungnguyenm / edgemax-acme

Let's Encrypt setup instructions for Ubiquiti EdgeRouter using DNS-01
149 stars 31 forks source link

updates for proper CA chaining (i.e. lighttpd actually presents the i… #14

Open bdwilson opened 2 years ago

bdwilson commented 2 years ago

…ntermediate certs properly to clients) and set Acme default back to LE. I also added default provider as Lets Encrypt because the other ones fail due to old certs on EdgeOS. I put instructions on how to update certs from LE in your readme.

Bundling the cert, key and intermediates does not work. You can validate this with openssl:

% openssl s_client -connect 192.168.1.1:443 -servername router.yourdomain.com

If you don't see the chain being delivered and: Verification: OK, then it's messed up. The original author had this split out for a reason.

% openssl s_client -connect 192.168.1.1:443 -servername router.yourdomain.com CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = router.yourdomain.com verify return:1 Certificate chain 0 s:CN = router.yourdomain.com i:C = US, O = Let's Encrypt, CN = R3 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1 i:O = Digital Signature Trust Co., CN = DST Root CA X3 ... SSL handshake has read 4385 bytes and written 439 bytes Verification: OK

gstrauss commented 2 years ago

If you're using lighttpd 1.4.56 or later with Let's Encrypt, please simply use the files from Let's Encrypt:

    ssl.privkey = "/etc/lighttpd/certs/www.example.com/privkey.pem" 
    ssl.pemfile = "/etc/lighttpd/certs/www.example.com/fullchain.pem"

With the above, it is not necessary, and not recommended, to set ssl.ca-file

bdwilson commented 2 years ago

If you're using lighttpd 1.4.56 or later with Let's Encrypt, please simply use the files from Let's Encrypt:

    ssl.privkey = "/etc/lighttpd/certs/www.example.com/privkey.pem" 
    ssl.pemfile = "/etc/lighttpd/certs/www.example.com/fullchain.pem"

With the above, it is not necessary, and not recommended, to set ssl.ca-file

I'm still on 1.10x train so I'm on 1.4.35 at this time.

gstrauss commented 2 years ago

I'm still on 1.10x train so I'm on 1.4.35 at this time.

lighttpd 1.4.35 was released Mar 2014, over 7 years ago. There have been a small, but non-zero number of security bugs fixed in lighttpd in the 26 lighttpd releases since then.

bdwilson commented 2 years ago

Which is precisely why I deploy it behind an authenticated reverse proxy.

floco commented 2 years ago

Thanks @bdwilson your updates solve my issues with old CA