Make using letsencrypt.org really easy

[kanaka]

To encourage people to use wss/tls encryption, we should make it really simple for people to implement a signed cert using letsencrypt.org (which should be going into general availability in the next couple of months). Perhaps direct automatic integration (since that's one of the goals of Let's Encrypt), but at least, we should document a straightforward process for using it.

The process is documented here: https://letsencrypt.org/howitworks/technology/

[DirectXMan12]

👍 to that

[dzil123]

Well, I think that the first step is adding instructions, or even a link, on hows to use letsencrypt, on the Encrypted Connections wiki page. It would be much simpler than having to manually acceptance certificates in the browser, which is the current recommendation.

[samhed]

@dzil123 we would gladly review/accept a PR ;)

[hoehermann]

Today, I used letsencrypt's certbot to obtain certificates:

sudo certbot certonly --standalone -d host.example.com

I am now using websockify with

--cert=/etc/letsencrypt/live/host.example.com/fullchain.pem --key=/etc/letsencrypt/live/host.example.com/privkey.pem

It won't get any easier than that, I guess.

[stevegt]

Right now running novnc/websockify over SSL with unattended deployment requires extra startup scripting, because certbot needs to be run on the host or container after it's up and reachable via DNS, but before novnc or websockify starts.

This would be made easier by adding email and fqdn flags to noVNC/utils/launch.sh. This would enable novnc to call something like this:

certbot -n certonly --standalone --agree-tos --email $EMAIL --domains $FQDN

...then novnc would pass --cert and --key to websockify.

Variations would include using --webroot instead of --standalone, and getting certbot to support ports other than 80 or 443:

• https://certbot.eff.org/docs/using.html#webroot
• standalone should allow for alternate ports to bind to (but not authenticate to) certbot/certbot#2697