README.md


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80

# Let's Encrypt ACME protocol

```
Let's Encrypt! ACME client

Usage: acme-encrypt-exe --key FILE --domain DOMAIN --challenge-dir DIR
                        [--domain-dir DIR] [--email ADDRESS] [--terms URL]
                        [--staging]
  This is a work in progress.

Available options:
  -h,--help                Show this help text
  --key FILE               filename of your private RSA key
  --domain DOMAIN          the domain name to certify
  --challenge-dir DIR      output directory for ACME challenges
  --domain-dir DIR         directory in which to domain certificates and keys
                           are stored; the default is to use the domain name as
                           a directory name
  --email ADDRESS          an email address with which to register an account
  --terms URL              the terms param of the registration request
  --staging                use staging servers instead of live servers
                           (certificates will not be real!)
```

This is a simple Haskell script to obtain a certificate from [Let's
Encrypt](https://letsencrypt.org/) using their ACME protocol.


- The main source of information to write this was
  https://github.com/diafygi/letsencrypt-nosudo

- The ACME spec: https://letsencrypt.github.io/acme-spec/

## Generate user account keys

The needed keys will be automatically generated with HsOpenSSL. You can also
pre-generate them manually, in which case they won't be overwritten:


```
openssl genrsa 4096 > user.key
mkdir -p ${DOMAIN_NAME}
openssl genrsa 4096 > ${DOMAIN_NAME}/rsa.key
```

## Send CSR 

The CSR will be automatically created.  You can also create it yourself with:

```
> openssl req -new -sha256 -key ${DOMAIN}/rsa.key \
      -subj "/CN=aaa.reesd.com" -outform DER > ${DOMAIN}/csr.der
```

## Receive certificate

The signed certificate will be saved by this program in
``./${DOMAIN}/cert.der``. You can copy that file to the place your TLS server is
configured to read it.

You can also view the certificate like so:

```
> openssl x509 -inform der -in ${DOMAIN}/cert.der  -noout -text | less
```

## Create a certificate for HAProxy

Including explicit DH key exchange parameters to prevent Logjam attack
(https://weakdh.org/).

```
> openssl x509 -inform der -in ${DOMAIN}/cert.der \
    -out ${DOMAIN}/cert.pem
> openssl dhparam -out ${DOMAIN}/dhparams.pem 2048
> cat ${DOMAIN}/cert.pem \
    lets-encrypt-x1-cross-signed.pem \
    ${DOMAIN}/rsa.key \
    ${DOMAIN}/dhparams.pem > aaa.reesd.com-combined.pem
```