Certbot/LetsEncrypt certificate support

Any chance of getting this built-in and controllable via the cnMaestro webUI?

From the console, all that is needed is:

add-apt-repository ppa:certbot/certbot
apt-get install python-certbot-nginx
certbot --nginx -d cnm.escwireless.com

Then run "certbot renew" via cron once a day, it will renew the 90-day certificate automatically when it nears expiration.  (obviously the FQDN in the third line above has to reach the server)

A simple dialog to create a new cert would only need the FQDN from the admin, then it could request a new certificate and automatically renew without any further intervention... (and without being overwritten every time there's an update, hopefully)

j

2 Likes

Hi newkirk,

Are you requesting this in addition to the Generate CSR UI tool?

Not answering for newkirk, but that's a yes for me.  These are free 90 day certs.  Anyone not familiar with LetsEncrypt should look them up.  Quite useful and cost effective.

1 Like

Yes, or as an alternative portion of it.  With the python-certbot-nginx package (and its dependancies) installed then it just takes "certbot --nginx -d host.domain.tld" and it will handle the entire process of signing a request, requesting a certificate, confirming control of host.domain.tld, retrieving the signed certificate, and installing it. (might need "--agree-tos" as well to run non-interactively, haven't checked) After than running "certbot renew" periodically will check if the certificate is nearing expiration and renew when needed.  (90-day expirations IIRC)

So from a WebUI perspective we'd just need to specify or approve the FQDN and turn it loose and it could handle everything from then on.  (assuming "certbot renew" is set up in a cronjob)

Certbot is a support program from certbot.eff.org (Electronic Frontier Foundation) while the certificates are issued by letsencrypt.org and trusted by every browser I've tried.  (Mozilla and Chrome are among their sponsors)

If we already have a wildcard certificate or have paid for one specific to the cnMaestro on-premises FQDN then the UI to install them is great, but if we're going to request a new certificate for this host then I'd prefer LetsEncrypt for the automation and the free certificates.

j

1 Like

Thanks for the information Luis and newkirk.  That clarifies the request and the benefits of LetsEncrypt.

I suggest adding this request to the Ideas section (and both upvote) to extend the existing Generate CSR UI tool to support LetsEncrypt with an auto-renew option for that 90 days limit.

http://community.cambiumnetworks.com/t5/Ideas/ct-p/Ideas


@Jordan wrote:

Thanks for the information Luis and newkirk.  That clarifies the request and the benefits of LetsEncrypt.

I suggest adding this request to the Ideas section (and both upvote) to extend the existing Generate CSR UI tool to support LetsEncrypt with an auto-renew option for that 90 days limit.

http://community.cambiumnetworks.com/t5/Ideas/ct-p/Ideas


Done, at http://community.cambiumnetworks.com/t5/Your-Ideas/Certbot-LetsEncrypt-certificate-support/idi-p/81108

Though as I've mentioned before on these forums I have little confidence posting in the "your ideas" section...  Maybe that's because I refuse to be a cheerleader urging people to upvote an idea, (or doing so myself from my old idle userIDs) or because some ideas seem to sit there forever with no action, or maybe I'm just wrong.

j

4 Likes