Another beta account :D I applied for letsencrypt and got accepted for their closed beta :D Maybe the reason I got accepted was my special domain: I think it is very likely that I am the only .koeln letsencrypt user so far.
Setting up letsencrypt was pretty easy and generally works as described:
git clone https://github.com/letsencrypt/letsencrypt
letsencrypt-auto will automatically install the required libraries via brew (on the mac). My local brew had some problems but after updating and brew doctor everything worked smoothely. Afterwards a little cli ui will guide you through the registration process and ultimately it will generate a little Jose content which you have to place on your webserver at the location indicated. It MUST be served using “application/jose+json”.
Make sure your web server displays the following content at
Uberspace is hosting everything via apache. So to serve the file with the correct Content-Type you need to configure it properly. To do this I placed a .htaccess in the directory where I placed the Jose+JSON file:
<Files "the filename of the jose+json file">
I verified that everything is correctly set up using Postman but cURL works as well. Finally press ENTER and if everything worked it will generate a proper certificate and key:
Setting up uberspace
So far letsencrypt has provided us with a directory providing everything we need to set up HTTPS on our uberspace host:
hans-guenther:tmp mop$ sudo ls -al /etc/letsencrypt/live/mop.koeln
Note that they are only readable for root (for good reason. These files are absolutely sensible. If an attacker gets hold of these files he can decrypt everything).
SCP/SFTP the privkey and the fullchain file to a PRIVATE location (i.e. your home directory and NOT somewhere on your webserver) on your uberspace host.
Run the following commands to prepare everything for the uberspace guys:
[mop@host ~]$ wget "https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem"
Even though the intermediate certificate is an optional argument it is required for this command to work. I initially omitted the intermediate certificate (because I didn’t really know what it is ;) ) and caused some extra work for the uberspace guys. But as always they were very friendly and helped out :)
Mail the above output to the uberspace guys and finally you should have https support just like me: https://mop.koeln/ :D