Let's Encrypt - ether42/bootable-usb GitHub Wiki

On the roofs:

apt-get install --no-install-recommends cron wget ca-certificates openssl

Retrieve acme.sh which is a lighter client than Certbot.

Install acme.sh then login again to reload acme.sh's alias:

sh acme.sh --install # will check dependencies
rm acme.sh
exit

acme.sh will also add a cron to automatically renew the certificates.

Create an account, it will output ACCOUNT_THUMBPRINT that you should serve via a web server:

acme.sh --register-account

The account's credentials will be saved under /root/.acme.sh/ca.

Any specified reload command will be saved in the domain configuration, /root/.acme.sh/$domain/$domain.conf.

It may be interesting to share the account's keys to request certificates for services under different LXC:

lvcreate -L 32MiB -n le-account lxc
mkfs.ext3 -L le-account /dev/lxc/le-account
mount /dev/lxc/le-account /tmp/mnt
cp -r /mnt/lxc/www-01/delta/root/.acme.sh/ca/* /tmp/mnt/
umount /tmp/mnt
rm -rf /mnt/lxc/www-01/delta/root/.acme.sh/ca

And add the corresponding LXC configuration:

lxc.mount.entry = /dev/lxc/le-account root/.acme.sh/ca ext3 defaults,create=dir 0 2

A nice site is Mozilla SSL Configuration Generator which will generate an example configuration for some most common HTTP servers (the list of SSL cipher suites is also nice to have and promotes forward secrecy in the case of the modern profile).

TODO: DH parameters setup?