[buug] letsencrypt

Tue May 2 14:42:58 PDT 2017

If you use certbot client (available in Debian backports & later),
and use it in --manual mode, it gives you script bits you can
use to fire up http listener under Python.
I have wrapper scripts that generate key(s) and CSR(s), then use
cerbot in --manual mode with various options, in any case, e.g.:
$ Getcerts example.com
...
-------------------------------------------------------------------------------
Make sure your web server displays the following content at
http://example.com/.well-known/acme-challenge/kY4B_8mcPEu0U6iViCrwyByrYvVSIZg8VuSR2zNVsow before  
continuing:

kY4B_8mcPEu0U6iViCrwyByrYvVSIZg8VuSR2zNVsow.uBv74F95SBTHmImLwOI3zhA3qsAKdz1R87ZIF9sMkM4

If you don't have HTTP server configured, you can run the following
command on the target server (as root):

mkdir -p /tmp/certbot/public_html/.well-known/acme-challenge
cd /tmp/certbot/public_html
printf "%s"  
kY4B_8mcPEu0U6iViCrwyByrYvVSIZg8VuSR2zNVsow.uBv74F95SBTHmImLwOI3zhA3qsAKdz1R87ZIF9sMkM4 >  
.well-known/acme-challenge/kY4B_8mcPEu0U6iViCrwyByrYvVSIZg8VuSR2zNVsow
# run only once per server:
$(command -v python2 || command -v python2.7 || command -v python2.6) -c \
"import BaseHTTPServer, SimpleHTTPServer; \
s = BaseHTTPServer.HTTPServer(('', 80),  
SimpleHTTPServer.SimpleHTTPRequestHandler); \
s.serve_forever()"
-------------------------------------------------------------------------------
Press Enter to Continue
...
There's also a DNS validation means ... but I've not tried it yet ... might(?)
require DNSSEC (which I have on some domains), and may not be available with
the certbot client, but it is available in the API, and I believe it's
available via at least (some) other client(s).

> From: "Wojciech Adam Koszek" <wkoszek at freebsd.czest.pl>
> Subject: Re: [buug] letsencrypt
> Date: Tue, 2 May 2017 13:50:17 -0700

> Ian
>
> If you are willing to switch to acme.sh client, it can do a DNS  
> based validation. You pass it a hook to a script which will make DNS  
> zone changes via API. It comes with many ready to use hooks-scripts.  
> You must provide API secret only.
>
> If not that, I've used Python -m SimpleHTTPServer 80 to accomplish  
> the same with the original client. So basically I start a simple  
> Python http server and kill it right after verification
>
> Wojciech
>
> Sent from my iPhone
>
>> On May 2, 2017, at 12:16 PM, Ian Zimmerman <itz at primate.net> wrote:
>>
>> Is the a way to get a letsencrypt ceritificate without an already
>> functional httpd?  AFAIK all the packaged solutions like dehydrated
>> require that (even if the dehydrated package does not depend on the
>> httpd package).
>>
>> I control the DNS for the domain in question.
>>
>> --
>> Please *no* private Cc: on mailing lists and newsgroups
>> Personal signed mail: please _encrypt_ and sign
>> Don't clear-text sign:
>> http://primate.net/~itz/blog/the-problem-with-gpg-signatures.html