Add Acme.sh client into base image

[LeePorte]

This PR adds acme.sh into the base build.

In the short term it will enable advanced users to generate certificates using ACME bassed issuers (ZeroSSL and Let's Encrypt) in the longer term it should be possible to expose the acme.sh interface via the UI. It would be handy to have the client in place in advance of attempting to expose it via the UI.

I have also added Vim into the base packages as it is a much nicer editor to work with and isn't significantly larger.

[moodeaudio]

How does this relate to the experimental HTTPS option in moode which uses self-signed certs?

[LeePorte]

It will enable this to support certs from ZeroSSL and Let's Encrypt who's certs are trusted by the vast majority of devices.

Once the client is in the base build it will be possible to generate trusted certs via the CLI either via SSH or Web SSH. The aim is then to make it possible via the UI.

[moodeaudio]

Right, but what does the user have to implement to make use of these certs?

[LeePorte]

OK so in the current form the user will need to first run the installation

sudo su
cd /root/acme.sh
./acme.sh --install -m [email protected]

Then they will need to obtain a cert using one of the supported methods as fits their situation. I am using Hurricane Electric as DNS for my internal domain, and as a result I can use one of the 161 DNS integrations so mine looks like

export HE_Username="<yourusername>"
export HE_Password="<password>"
./acme.sh --issue --dns dns_he -d moode.example.com --reloadcmd  "service nginx force-reload"

The final step is to install the certificate in nginx

acme.sh --install-cert -d example.com \
--key-file       /etc/ssl/private/moode.key  \
--fullchain-file /etc/ssl/certs/moode.crt \
--reloadcmd     "service nginx force-reload"

From this point on acme.sh will be executed on a cronjob to check if the certificates are within 30 day of expiry and perform a renew of them automatically.

There are also options that involve using cloudflare tunnels to enable the use of the web standalone mode, though as someone who doesn't use those, I'm not best placed to advise on them currently, though am happy to investigate them.

In the longer term I'd like to expose the options using the web UI and drive the running of the commands through there, however I don't think it will be a quick process and this gives advanced users a way to generate trusted certs in their environment currently with little effort required on the part of the project.

[moodeaudio]

I'm still a bit confused. If these are not self-signed certs then which public CA is issuing/signing certs for LAN hosts?

[LeePorte]

So you will need to be running a real domain internally as there is nobody that can issue certs for .local and using .local is a bad idea https://community.veeam.com/blogs-and-podcasts-57/why-using-local-as-your-domain-name-extension-is-a-bad-idea-4828

In my case, I run a .org.uk domain for internal use, as there is no chance of conflicts.

my internal domain is not reachable for you via the internet, however through the use of an ACME client and DNS integration I am able to prove the ownership of the host that I wish to gain a cert for on my .org.uk domain.

Via acme.sh it creates a validation record on my DNS provider (Hurricane Electric) for host.mydomain.org.uk, Let's Encrypt then is able to validate this and issues the certificate. Acme.sh then removes the validation record. When the renewal point is reached it then create the record for Let's encrypt to validate against and cleans up after.

[LeePorte]

Here's an example from my internal network for my openhab server that has a certificate that is issued by ZeroSSL

Running a dig on the host won't yield anything from your side and you won't be able to connect to the host either.

is what is visible on my side

[moodeaudio]

Got it.

The challenge with this configuration is that it's very complex, particularly since it requires the user to create and admin a local domain.

My goal for HTTPS support in moode is to make it as easy as humanly possible. The self-signed cert part is completely automated and thus "easy" but the client side is messy requiring manually adding the cert to to the OS trust store.

Maybe someday there will be an easy way to do public CA trusted certs for LAN hosts.

[LeePorte]

As there is little to do from a project side, how about adding in the acme client as an option to use via the CLI for those that wish to whilst not removing the current self signed cert option?

It can be be pointed to in documentation that it exists for those that want to use it, but it doesn't hinder the experience of those that do not.

in future there may well be something in place for certs within a LAN. If I were to take a guess this is most likely to be found with a router doing the heavy lifting as it seems the logical place in a home network to do it. I've not seen anything of this sort of approach to appear as yet.