Thanks to the efforts of @jerrm and @bpbp, the latest edge version of Certificate Management module allows you to generate a Let’s Encrypt cert using fwconsole:
# fwconsole ma list | grep cert
| certman | 15.0.34 | Enabled | AGPLv3+ |
# fwconsole certificates --generate --type=le --hostname=lorne.redacted.com --country-code=ca --state=ns [email protected]
Getting list of URLs for API
Requesting new nonce for client communication
Account already registered. Continuing.
Sending registration to letsencrypt server
Sending signed request to https://acme-v02.api.letsencrypt.org/acme/new-acct
Account: https://acme-v02.api.letsencrypt.org/acme/
Starting certificate generation process for domains
Requesting challenge for lorne.redacted.com
... bunch of lines removed ...
Got certificate! YAY!
Saving fullchain.pem
Saving cert.pem
Saving chain.pem
Done !!§§!
Successfully installed Let's Encrypt certificate 'lorne.redacted.com'
The big addition for this ticket is Subject Alternative Name so a cert can support more than one DNS name, ie a single cert can now support admin.mydomain.com, ucp.mydomain.com, sip.mydomain.com, etc.
Of limited use for the distro with current port-based apache virtual hosts, but makes life much easier for those that use hostname/SNI based virtual hosts.
Does your code allow certificates from other than the primary domain to be issued?
I ask because using such domains, (using SNI not ports), would provide a ‘once removed’ certification for administrative purposes (and provisioning) that is less easily revealed ?
I believe that both TLS transport for calls (and such a transport doesn’t like wild cards/SNA for that purpose) and provisioning would benefit yet still protect MITM attacks inside a possibly compromised LAN.
Certman 15.0.35 has just been released to edge. It fixes the chown issues in the original cli 15.0.34 release and adds support for alternative names in the cert.
I recommend running fwconsole chown from the console after installing 15.0.35 if you have used the letsencrypt cli generation in 15.0.34.