In order to get rid of the certificate warnings when accessing the IPFire webinterface I thought it would be a good idea to use Let’s Encrypt certificates for this purpose. Yes maybe it is “not necessary”.
Just for clarification: I don’t access the webinterface from external but only from my local network. I just wanted to get rid of the warning.
I used the ACME DNS challenge for this so I don’t have to expose Port 80 and 443.
Since I haven’t found anything like this while I searched for it, I thought it couldn’t hurt to post this here. Maybe it will be helpful for others too.
If I made any mistakes or could do something better, please let me know so that I can fix it.
Here is how I did it:
cd /etc/httpd/ cp server.key server.key.old && cp server.csr server.csr.old && cp server.crt server.crt.old && cp server-ecdsa.key server-ecdsa.key.old && cp server-ecdsa.csr server-ecdsa.csr.old && cp server-ecdsa.crt server-ecdsa.crt.old && cp conf/vhosts.d/ipfire-interface-ssl.conf conf/vhosts.d/ipfire-interface-ssl.conf.old
useradd --create-home --home-dir /etc/acme --shell /sbin/nologin acme
chmod 700 /etc/acme
echo acme >> /etc/fcron.allow
visudo command add the following:
# User privilege specification acme ALL=NOPASSWD: /etc/init.d/apache restart
chown root:acme /etc/httpd/server.* && chmod g+w /etc/httpd/server.* && chmod g+r /etc/httpd/*.key
git is required so install it via Pakfire first.
su - acme -s /bin/bash cd ~ cd acme.sh_git ./acme.sh --install --home /etc/acme/acme.sh
This will throw an error that crontab isn’t accessible. So we will add it manually. You have to do this as the root user:
fcrontab -u acme -e
24 0 * * * /etc/acme/acme.sh/acme.sh --cron --home /etc/acme/acme.sh > /dev/null
I have my domains at INWX. If you use another provider take a look here: dnsapi · acmesh-official/acme.sh Wiki · GitHub
export INWX_User="<username>" export INWX_Password="<password>"
acme.sh \ --issue \ --server letsencrypt \ --dns dns_inwx \ --domain <your.sub.domain.tld> \ --keylength 4096 \ --key-file /etc/httpd/server.key \ --cert-file /etc/httpd/server.crt \ --reloadcmd "sudo /etc/init.d/apache restart" \ --debug \ --test
If everything works as expected and no errors are shown, replace
--test flag in the above command with
--force to issue the real certificate.
set -e INWX_User set -e INWX_Password
IPFire by default uses two certificates (RSA & ECDSA). For now I just disabled ECDSA so that it will always use the newly generated RSA certificate.
/etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf comment (#) the two lines with the ECDSA certificate out or delete them completely.
I guess this is no permanent solution because this file could be overwritten at an IPFire update.
After that restart Apache and everything should work