Let's Encrypt certificates for IPFire

In order to get rid of the certificate warnings when accessing the IPFire webinterface I thought it would be a good idea to use Let’s Encrypt certificates for this purpose. Yes maybe it is “not necessary”.

Just for clarification: I don’t access the webinterface from external but only from my local network. I just wanted to get rid of the warning.

I used the ACME DNS challenge for this so I don’t have to expose Port 80 and 443.

Since I haven’t found anything like this while I searched for it, I thought it couldn’t hurt to post this here. Maybe it will be helpful for others too.

If I made any mistakes or could do something better, please let me know so that I can fix it.

Here is how I did it:

Backup original files:

cd /etc/httpd/

cp server.key server.key.old &&
cp server.csr server.csr.old &&
cp server.crt server.crt.old &&
cp server-ecdsa.key server-ecdsa.key.old &&
cp server-ecdsa.csr server-ecdsa.csr.old &&
cp server-ecdsa.crt server-ecdsa.crt.old &&
cp conf/vhosts.d/ipfire-interface-ssl.conf conf/vhosts.d/ipfire-interface-ssl.conf.old

Create separate user

useradd --create-home --home-dir /etc/acme --shell /sbin/nologin acme

Change home directory permissions

chmod 700 /etc/acme

Allow user to use cron

echo acme >> /etc/fcron.allow

Allow restart apache via sudo

With visudo command add the following:

# User privilege specification
acme ALL=NOPASSWD: /etc/init.d/apache restart

Change permissions of certificate files

chown root:acme /etc/httpd/server.* &&
chmod g+w /etc/httpd/server.* &&
chmod g+r /etc/httpd/*.key

Install acme.sh client

git is required so install it via Pakfire first.

su - acme -s /bin/bash
cd ~
cd acme.sh_git
./acme.sh --install --home /etc/acme/acme.sh

This will throw an error that crontab isn’t accessible. So we will add it manually. You have to do this as the root user:

fcrontab -u acme -e
24 0 * * * /etc/acme/acme.sh/acme.sh --cron --home /etc/acme/acme.sh > /dev/null

Provide DNS API credentials

I have my domains at INWX. If you use another provider take a look here: dnsapi · acmesh-official/acme.sh Wiki · GitHub

export INWX_User="<username>"
export INWX_Password="<password>"

Generate certificates (TEST)

acme.sh \
--issue \
--server letsencrypt \
--dns dns_inwx \
--domain <your.sub.domain.tld> \
--keylength 4096 \
--key-file /etc/httpd/server.key \
--cert-file /etc/httpd/server.crt \
--reloadcmd "sudo /etc/init.d/apache restart" \
--debug \
--test

Finally generate certificates

If everything works as expected and no errors are shown, replace --test flag in the above command with --force to issue the real certificate.

Remove DNS API credentials

set -e INWX_User
set -e INWX_Password

Disable ECDSA certificate

IPFire by default uses two certificates (RSA & ECDSA). For now I just disabled ECDSA so that it will always use the newly generated RSA certificate.

In /etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf comment (#) the two lines with the ECDSA certificate out or delete them completely.

I guess this is no permanent solution because this file could be overwritten at an IPFire update.

After that restart Apache and everything should work

/etc/init.d/apache restart
4 Likes

A thread worth for the ipfire wiki!

1 Like

Hi all,
it looks fine for the first glance, but I am afraid it is not a persistent solution. After updating IPFire you’ll have to repeat all steps. Please correct me, if it would be incorrect.
Cheers,
Pierre

That is correct. It could be easily converted to a script and run after an update though. Not something I would do to my firewall though. It makes me very nervous already as it is in term of security, not feeling the need to mess with the core of the web interface.

Hi John - I saw you are using Let’s Encrypt certificates and thought this IPFire addon may help:

1 Like

I would recommend against using LE certificates on IPFire. You won’t gain any extra security; you are in fact downgrading security by using RSA only.

I would recommend to simply import the auto-generated certificate into your browser and you will never see the certificate warning ever again.

1 Like