In order to get rid of the certificate warnings when accessing the IPFire webinterface I thought it would be a good idea to use Let’s Encrypt certificates for this purpose. Yes maybe it is “not necessary”.
Just for clarification: I don’t access the webinterface from external but only from my local network. I just wanted to get rid of the warning.
I used the ACME DNS challenge for this so I don’t have to expose Port 80 and 443.
Since I haven’t found anything like this while I searched for it, I thought it couldn’t hurt to post this here. Maybe it will be helpful for others too.
If I made any mistakes or could do something better, please let me know so that I can fix it.
Here is how I did it:
Backup original files:
cd /etc/httpd/
cp server.key server.key.old &&
cp server.csr server.csr.old &&
cp server.crt server.crt.old &&
cp server-ecdsa.key server-ecdsa.key.old &&
cp server-ecdsa.csr server-ecdsa.csr.old &&
cp server-ecdsa.crt server-ecdsa.crt.old &&
cp conf/vhosts.d/ipfire-interface-ssl.conf conf/vhosts.d/ipfire-interface-ssl.conf.old
Create separate user
useradd --create-home --home-dir /etc/acme --shell /sbin/nologin acme
Change home directory permissions
chmod 700 /etc/acme
Allow user to use cron
echo acme >> /etc/fcron.allow
Allow restart apache via sudo
With visudo
command add the following:
# User privilege specification
acme ALL=NOPASSWD: /etc/init.d/apache restart
Change permissions of certificate files
chown root:acme /etc/httpd/server.* &&
chmod g+w /etc/httpd/server.* &&
chmod g+r /etc/httpd/*.key
Install acme.sh client
git
is required so install it via Pakfire first.
su - acme -s /bin/bash
cd ~
cd acme.sh_git
./acme.sh --install --home /etc/acme/acme.sh
This will throw an error that crontab isn’t accessible. So we will add it manually. You have to do this as the root user:
fcrontab -u acme -e
24 0 * * * /etc/acme/acme.sh/acme.sh --cron --home /etc/acme/acme.sh > /dev/null
Provide DNS API credentials
I have my domains at INWX. If you use another provider take a look here: dnsapi · acmesh-official/acme.sh Wiki · GitHub
export INWX_User="<username>"
export INWX_Password="<password>"
Generate certificates (TEST)
acme.sh \
--issue \
--server letsencrypt \
--dns dns_inwx \
--domain <your.sub.domain.tld> \
--keylength 4096 \
--key-file /etc/httpd/server.key \
--cert-file /etc/httpd/server.crt \
--reloadcmd "sudo /etc/init.d/apache restart" \
--debug \
--test
Finally generate certificates
If everything works as expected and no errors are shown, replace --test
flag in the above command with --force
to issue the real certificate.
Remove DNS API credentials
set -e INWX_User
set -e INWX_Password
Disable ECDSA certificate
IPFire by default uses two certificates (RSA & ECDSA). For now I just disabled ECDSA so that it will always use the newly generated RSA certificate.
In /etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf
comment (#) the two lines with the ECDSA certificate out or delete them completely.
I guess this is no permanent solution because this file could be overwritten at an IPFire update.
After that restart Apache and everything should work
/etc/init.d/apache restart