iOS/MacOS
Digital Ocean
Lol Yeah, I've looked through them before. My confusion is that in Algo there's easy-rsa and of course, openssl. Moreover, most Let's Encrypt tutorials are assuming you're using it in conjunction with a web server. But then again, I'm not super well versed in CA, hence the question here.
Let me be a little bit more specif as to where I'm stuck. I can easily setup a digital ocean server with ubuntu 18.04 and let's encrypt manually. Ngnix and port 80. No big deal.
The issue is with the Algo script and ipsec.conf. When the Algo script finishes, a set of certificates get created plus the mobileconfig profiles. The issue is that if you want Algo to use the Let's encrypt keys, pem, etc. there's no way, to my knowledge, to do so beforehand; as a setting in a config file.
That would lead me to the obvious alternative.... create the server manually with let's encrypt, install Algo manually on that droplet - otherwise a server will be created from scratch - edit the ipsec.conf file after the installation is completed with the Let's Encrypt details and run an update-users for new mobileconfigs.
So what's the problem? Well, Algo creates certificates to log in to the created server and I'm not sure what would happen after I make changes to ipsec.conf. For example, would I even be able to log in again? Etc.
Btw, there's no documentation, to my knowledge, outlining how it all - Algo - works together (StrongSwan, Wireguard, iptables, DNS, etc.) as an end solution. The ansible scripts run, but hard to tell exactly what's happening, unless you know Ansible well.
Well, I can't say much about Let's Encrypt, but when you run a local install, Algo doesn't mess with the SSH key. So you should still be able to log in with the key you used when you created the droplet.
I wonder if reading this project on GitHub might be helpful: https://github.com/jawj/IKEv2-setup/blob/master/README.md
Also, refer to #294 and #822. One issue is that if your CA certificate ever gets stolen, the mobileconfigs will be marked as trusted even if they shouldn't be.
It's possible to sign your mobileconfig files with a Let's Encrypt certificate but I don't think it gets you anything other than a pretty green check mark when you view the Profile on your device, and even that probably goes away once the certificate expires in 90 days.
Note that signing a mobileconfig can be done locally and doesn't involve any changes to your deployed Algo server.
I wrote a simple script to use my existing Let's Encrypt certificate. This must be run as root because the directory containing the certs will only be readable by root.
#!/bin/bash
certs="/etc/letsencrypt/live/myersnet.net"
openssl smime \
-sign \
-signer ${certs}/cert.pem \
-inkey ${certs}/privkey.pem \
-certfile ${certs}/chain.pem \
-nodetach \
-outform der \
-in user.mobileconfig \
-out user-signed.mobileconfig

@TC1977 @davidemyers you guys rock!
@davidemyers the fact that you can sign it directly is exactly what I was looking for. Since it's a simple script I'll probably re-write it in rust and make it available for the project.
Thanks again!!
Why not just make it an Ansible play?
This is not a feature we plan to support.
does this work with openssl certs? im having trouble with them
Most helpful comment
@TC1977 @davidemyers you guys rock!
@davidemyers the fact that you can sign it directly is exactly what I was looking for. Since it's a simple script I'll probably re-write it in rust and make it available for the project.
Thanks again!!