# Let's Encrypt tool for generating web server keys



## NewGuy (Mar 20, 2015)

The Let's Encrypt utility is a tool for automatically setting up security keys for domains the user controls. Basically, instead of buying a certificate or creating a self-signed one, the Let's Encrypt tool is supposed to handle setting up a secure domain, free of charge. More details here: https://letsencrypt.org/

The code for Let's Encrypt is available here: https://github.com/letsencrypt/lets-encrypt-preview

Right now Let's Encrypt is written for (and only runs on) Ubuntu. However, some work has been done to get the software running on FreeBSD. This post shows the steps and dependencies required to run Let's Encrypt on a FreeBSD 10 machine: https://github.com/letsencrypt/lets-encrypt-preview/issues/293

Hopefully more people will contribute and fix the remaining issues to make Let's Encrypt truly cross-platform.


----------



## oleg_skat (Sep 1, 2015)

Hi,

I can’t install letsencrypt.

My actions were:

```
# pkg install python27 swig30 pcre libffi augeas
# portsnap fetch
# portsnap extract
# cd /usr/ports/devel/py-setuptools  
# make install && make clean

# ln -s /usr/local/bin/swig3.0 /usr/local/bin/swig
# ln -s /usr/local/include/ffi.h /usr/include/ffi.h
# ln -s /usr/local/include/ffitarget.h /usr/include/ffitarget.h

# cd /letsencrypt-nginx
# /usr/local/bin/python2 setup.py build
   OK

# /usr/local/bin/python2 setup.py install
Installed /usr/local/lib/python2.7/site-packages/pyparsing-2.0.3-py2.7.egg
Searching for letsencrypt
Reading https://pypi.python.org/simple/letsencrypt/
Couldn't find index page for 'letsencrypt' (maybe misspelled?)
Scanning index of all packages (this may take a while)
Reading https://pypi.python.org/simple/
No local packages or download links found for letsencrypt
error: Could not find suitable distribution for Requirement.parse('letsencrypt')
```
Any ideas?


----------



## cpm@ (Sep 2, 2015)

Hi oleg_skat,

I'll give a try and make letsencrypt port for FreeBSD.


----------



## oleg_skat (Sep 2, 2015)

Hi cpm,

I want to make a certificate on a virtual Linux machine, and then transfer files  to the fighting  server, but the port is a better solution.  Where I can download it?


----------



## cpm@ (Sep 2, 2015)

oleg_skat said:


> Hi cpm,
> 
> I want to make a certificate on a virtual Linux machine, and then transfer files to the fighting server, but the port is a better solution. Where I can download it?



I didn't start to porting letsencrypt yet. I'll submit it when I got it finished


----------



## oleg_skat (Sep 2, 2015)

Better  wait you or to do anything...?


----------



## cpm@ (Sep 2, 2015)

oleg_skat said:


> Better  wait you or to do anything...?



I suggest here: _to wait_.

In a few days I will provide a port for testing purposes. User reviews will be welcome.


----------



## satriani (Sep 2, 2015)

cpm said:


> In a few days I will provide a port for testing purposes. User reviews will be welcome.



You have nothing to do? 
Good news, it's a necessary stuff. Thank you


----------



## oleg_skat (Sep 2, 2015)

I think, a FreeBSD community  will be grateful for your work. We are waiting for!
But dont forget to write here by completion


----------



## cpm@ (Sep 12, 2015)

Thanks for wait! I'm working on letsencrypt port, but I had to deal with some outstanding tasks that have prevented me start earlier


----------



## satriani (Sep 13, 2015)

Take your time. Hopefully we can soon easily encrypt our connections


----------



## cpm@ (Sep 19, 2015)

satriani said:


> Take your time. Hopefully we can soon easily encrypt our connections



We are discussing this thread in the freebsd-ports mailing list:
https://lists.freebsd.org/pipermail/freebsd-ports/2015-September/100477.html


----------



## hukadan (Sep 19, 2015)

For the ones who missed the news, they issued their first certificate and applied to different root programs. On that page, you can also apply for their beta program. Thank you cpm for your work on this.


----------



## cpm@ (Sep 19, 2015)

I can confirm that if you follows his instructions using pkg(8). It builds/installs/works fine 

I hope to submit the new letsencrypt port pretty soon.


----------



## cpm@ (Oct 1, 2015)

Here it is the letsencrypt port, currently for testing purposes: PR 203405

Any feedback is welcome!


----------



## hukadan (Oct 1, 2015)

Well, it is too easy now (I used the method of your post 14)!  https://letsencrypt.hukadan.org (fingerprint: EB:CA:09:54:37:F7:C4:EC:8B:87:57:44:5E:CC:B8:86:EE:FD:69:4F).

I am looking forward to have them added to trusted CA.


----------



## oleg_skat (Oct 29, 2015)

Hi, cpm 

Got an installation error of the port:


```
letsencrypt-nginx]# make install
===>  Staging for letsencrypt-nginx-0.0.0.dev20151008
===>  letsencrypt-nginx-0.0.0.dev20151008 depends on file: /usr/local/sbin/nginx - found
Error a dependency refers to a non existing origin: /usr/ports/security/letsencrypt in RUN_DEPENDS
*** [run-depends] Error code 1

Stop in /root/letsencrypt/letsencrypt-nginx.
```


```
[/usr/ports]# make search name=letsencrypt
[/usr/ports]#
```
The port`s tree was updated.

Can you help me?


----------



## cpm@ (Nov 1, 2015)

oleg_skat said:


> Hi, cpm
> 
> Got an installation error of the port:
> 
> ...



Sorry for taking so long to reply, oleg_skat

Well, as you have seen the port has not been committed into the ports tree yet because not all the work is done. So if you want to test it, please, download the shar files from PR 203405 and install it as usual.

Give us some feedback!


----------



## oleg_skat (Nov 2, 2015)

Would you like to write step by step instruction?
Can’t to do anything...


----------



## Jimlad (Nov 3, 2015)

Hey cpm,

I've downloaded shar-v3 extracted and install letsencrypt

Running `/usr/local/bin/letsencrypt -d HOSTNAME auth`

I get:

```
Traceback (most recent call last):
  File "/usr/local/bin/letsencrypt", line 5, in <module>
    from pkg_resources import load_entry_point
  File "/usr/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3074, in <module>
    @_call_aside
  File "/usr/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3060, in _call_aside
    f(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3087, in _initialize_master_working_set
    working_set = WorkingSet._build_master()
  File "/usr/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 647, in _build_master
    return cls._build_from_requirements(__requires__)
  File "/usr/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 660, in _build_from_requirements
    dists = ws.resolve(reqs, Environment())
  File "/usr/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 833, in resolve
    raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The 'acme==0.0.0.dev20151017' distribution was not found and is required by letsencrypt
```


----------



## cpm@ (Nov 4, 2015)

oleg_skat said:


> Would you like to write step by step instruction?
> Can’t to do anything...



First, once you've downloaded the shar file, uncompress it by running `sh filename.shar` into the corresponding port category.

Finally, install the port as usually you do (e.g. using portmaster(8) or `make install clean`).


----------



## cpm@ (Nov 4, 2015)

Jimlad said:


> Hey cpm,
> 
> I've downloaded shar-v3 extracted and install letsencrypt
> 
> ...



Well, it seems that something went wrong here. Try it using the previous shar file (shar-v2).

We need to investigate further the current problem.


----------



## oleg_skat (Nov 4, 2015)

Hi cpm,

It was done before, as you wrote. But I want to add some details

```
sh shar-v3

$1/{} \; &&  /usr/bin/find -d $0 $2 -type f -exec chmod 444 $1/{} \;' -- . /ports/security/letsencrypt/letsencrypt2/letsencrypt/work/stage/usr/local/share/examples/letsencrypt)
====> Compressing man pages (compress-man)
===>  Installing for letsencrypt-0.0.0.dev20151017
===>  Checking if letsencrypt already installed
===>  Registering installation for letsencrypt-0.0.0.dev20151017
Installing letsencrypt-0.0.0.dev20151017...
---------------------------------------

# pkg info | grep letsencrypt
letsencrypt-0.0.0.dev20151008  ACME client that can update Apache/Nginx configurations
-----------------------------------------------------------
# /usr/local/bin/letsencrypt -d mydomain.com auth
Traceback (most recent call last):
  File "/usr/local/bin/letsencrypt", line 5, in <module>
  from pkg_resources import load_entry_point
  File "/usr/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3074, in <module>
  @_call_aside
  File "/usr/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3060, in _call_aside
  f(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3087, in _initialize_master_working_set
  working_set = WorkingSet._build_master()
  File "/usr/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 647, in _build_master
  return cls._build_from_requirements(__requires__)
  File "/usr/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 660, in _build_from_requirements
  dists = ws.resolve(reqs, Environment())
  File "/usr/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 833, in resolve
  raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The 'acme==0.0.0.dev20151017' distribution was not found and is required by letsencrypt
```

Is the same way, as *Jimlad*


```
/usr/ports/devel/acme]# make install
===>  acme-091 is marked as broken: Does not fetch.
*** [install] Error code 1

Stop in /ports/devel/acme.
```

And


```
shar-v2

====> Compressing man pages (compress-man)
===>  Installing for letsencrypt-0.0.0.dev20151008
===>  Checking if letsencrypt already installed
===>  Registering installation for letsencrypt-0.0.0.dev20151008
Installing letsencrypt-0.0.0.dev20151008...


letsencrypt -d mydomain.com auth
..............
File "/usr/local/lib/python2.7/site-packages/cryptography-1.1-py2.7-freebsd-9.3-RELEASE-p10-amd64.egg/cryptography/hazmat/bindings/openssl/binding.py", line 13, in <module>
from cryptography.hazmat.bindings._openssl import ffi, lib
ImportError: /usr/local/lib/python2.7/site-packages/cryptography-1.1-py2.7-freebsd-9.3-RELEASE-p10-amd64.egg/cryptography/hazmat/bindings/_openssl.so: Undefined symbol "CRYPTO_malloc_debug_init"
```

What I have to do? Do I have to install py-acme from sources?


----------



## cpm@ (Nov 4, 2015)

oleg_skat, Jimlad,

To install letsencrypt right now, please, see my comment #14.

See also the following note, here.

Thanks for your patience!


----------



## Jimlad (Nov 4, 2015)

Just FYI oleg_skat,  the port devel/acme is not the "Automated Certificate Management Environment" implementation, its a crossassembler.

Thanks cpm I will try your recommendation as per comment #14

Thank you for you continued work.


----------



## cpm@ (Nov 6, 2015)

Please, update your ports tree:

https://svnweb.freebsd.org/ports?view=revision&revision=400885
https://svnweb.freebsd.org/ports?view=revision&revision=400884


----------



## oleg_skat (Nov 6, 2015)

cpm said:


> Please, update your ports tree:
> 
> https://svnweb.freebsd.org/ports?view=revision&revision=400885
> https://svnweb.freebsd.org/ports?view=revision&revision=400884



-----------------------------------------------------------------------------------
cpm, Thanks

From the GitHub http://letsencrypt.readthedocs.org/en/latest/using.html#installation  version (./letsencrypt-auto) I have installed letsencrypt successfully on another FreeBSD 10.1 virtual machine. Without some warnings. Got 2 *.pem files, the key and the certificate.  And moved them to the real server.
And now, got a next trouble:

```
Performing sanity check on nginx configuration:
nginx: [emerg] PEM_read_bio_X509_AUX("/usr/local/ssl/cacert.pem") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed.
```

The process has continuation (for my enjoy).  

-------------------------------------------------------------------

About the new port:

The letsencrypt plugins to support Apache and Nginx certificate installation
will be made available soon in the following ports:

* Apache plugin: security/py-letsencrypt-apache
* Nginx plugin: security/py-letsencrypt-nginx

What does at mean? Can security/py-letsencrypt create and install certificates without plugins?

Besides ......

```
letsencrypt --server mydomain.com certonly
...................................................................
ImportError: Cannot open "/usr/local/lib/python2.7/site-packages/cryptography-1.1-py2.7-freebsd-9.3-RELEASE-p10-amd64.egg/cryptography/hazmat/bindings/_openssl.so"
File no exists
```


----------



## cpm@ (Nov 9, 2015)

As you previously realised, the other ports have not landed yet into the ports tree. More work is needed before doing this 

Please, see the current notes and status of the officially supported plugins ATM.
https://letsencrypt.readthedocs.org/en/latest/using.html#plugins


----------



## oleg_skat (Nov 9, 2015)

Yes,
I have seen. But now I have to perform another task. I think, when  the time will come to use https, I will return.
Apart from that, there is a lot of another possibilities for receive a certificate for free.
But we hope for a correctly written port, with a topical plugins and dependences...


----------



## cpm@ (Nov 9, 2015)

oleg_skat said:


> Yes,
> I have seen. But now I have to perform another task. I think, when  the time will come to use https, I will return.
> Apart from that, there is a lot of another possibilities for receive a certificate for free.
> But we hope for a correctly written port, with a topical plugins and dependences...



Sure, we will add more options to the security/py-letsencrypt port as soon as the available plugins work properly.


----------



## oleg_skat (Nov 10, 2015)

All software require a time for debug. Our community waiting for that.


----------



## Jimlad (Nov 10, 2015)

Just got my hostname white listed via the Lets Encrypt beta program. The certificate is on a jail running nginx as a reverse proxy on FreeBSD 10.2 on DO.


----------



## Jimlad (Nov 11, 2015)

Here are a set of letsencrypt official python client installation scripts for multiple platforms, but most importantly...FreeBSD. I have not tested the FreeBSD script, but anyone struggling, might be worth a go. https://github.com/kennwhite/install-letsencrypt


----------



## cpm@ (Nov 24, 2015)

A must read: http://savagedlight.me/2015/11/24/lets-encrypt-on-a-freebsd-nginx-reverse-proxy/

Thanks to Savagedlight


----------

