LetsEncrypt

From Koha Wiki
Jump to navigation Jump to search

Koha should have an option to use Let's Encrypt certificates out of the box. Bug 15303 is about that.

I don't want to flood the bug tracker with changing test plans and other information, so I will add some things here.

Implemented

  • SSL-only Apache template
  • mechanism to get a certificate automatically when doing koha-create
  • HTTP to HTTPS forwarding
  • --letsencrypt option for koha-list

Not implemented

Information for testers

  • if you can, do it on a "real" server in the web
  • if that is not an option, you need to make port 80 in your VM accessible from the web for the test. Port forwarding and a network bridge in Virtualbox works for me, a host-only adapter+a NAT adapter won't
  • you need "real"/global subdomains pointing to an IP that is that of your test server or is forwarded to it on port 80. That is where the webroot check of letsencrypt happens before they issue the certificate
  • dyndns pointing to your IP should work
  • for the staff client, /etc/hosts file with ip.of.your.vm <instancename>-intra.your.domain.tld on the machine you are browsing the test instance from should work for testing Not sure if this is valid anymore. use real subdomains.
  • put the real (sub)domain that you want to use in koha-sites.conf before you create the instance. The default of mydns-something won't work

Limitations

There are rate limits. At the moment (09 April 2016, public beta), these are

  • Rate limit on registrations per IP is currently 500 per 3 hours
  • Rate limit on certificates per Domain is currently 20 per 7 days

Source

That could lead to problems when testing, but also when renewing certificates on servers with multiple instances! I planned to use a cron job to renew all instances found with koha-list --letsencrypt every 60 days (certs are valid for 90 days). With the current rate limits, that won't work with more than 20 instances using separate certs. It got increased from 5 to 20 certs per 7 days, which should be fine for most use cases.

Possible workarounds

  • Letsencrypt is working on a rate limit override request form, it's supposed to be available January 2016. Source
    • More info needed
  • Multi-domain certs are possible, with bug 15303 we already make use of that (one cert for OPAC + intranet)
    • Using one cert for all instances in one installation would work, only one cert to renew every 90 days
      • SAN multi-domain certs have a limit of 100 domains atm (01/16) Source
    • It may be possible to keep the current workflow and add an option to use koha-list --letsencrypt to get all relevant instances, issue a single cert for all of them and change the apache configs
      • Not going to be in bug 15303

Windows XP

Not that I care, but XP is supposed to be supported by the intermediate certificate now. https://community.letsencrypt.org/t/upcoming-intermediate-changes/13106