This little tutorial describes how to use Letsencrypt with Apache, Freeradius and Auto-Renewal of the Certificates.
#Install Letsencrypt
sudo apt-get update
sudo apt-get install git
cd /opt
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
cd /opt/letsencrypt
#Become root
sudo su
#"Order" certificates (replace SERVERDOMAIN.COM with the DNS of your Server!)
./letsencrypt-auto --apache -d SERVERDOMAIN.COM --rsa-key-size 4096
Enter Contact Mail: mail@SERVERDOMAIN.COM
Configuration Type: Secure #is best, as it does redirect insecure http to https)
#Read PATH variable
echo $PATH
#Cronjob for certificate renewal
#you should under all circumstances replace the string following PATH= with your own, as read with the command above.
#Seperate with ; from the rest of the command like shown in the example
crontab -e
#letsencrypt 30 2 * * 1 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games;/opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log 35 2 * * 1 /etc/init.d/freeradius restart 35 2 * * 1 /etc/init.d/apache2 restart
#Configure Freeradius
cp -r /etc/freeradius/certs/ /etc/freeradius/certs_bkp
rm /etc/freeradius/certs/*.pem
cp /etc/freeradius/eap.conf /etc/freeradius/eap.conf_bkp
vi /etc/freeradius/eap.conf
#certdir = ${confdir}/certs
#cadir = ${confdir}/certs
certdir = /etc/letsencrypt/live/SERVERDOMAIN.COM
cadir = /etc/letsencrypt/live/SERVERDOMAIN.COM
#dh_file = ${certdir}/dh
dh_file = ${confdir}/certs/dh
#private_key_password = whatever
private_key_file = ${certdir}/privkey.pem
certificate_file = ${certdir}/cert.pem
CA_file = ${cadir}/fullchain.pem
#Configure access rights on /etc/letsencrypt
cd /etc/letsencrypt/
chgrp -R ssl-cert archive csr keys live options-ssl-apache.conf renewal # set group of cert/key dirs to ssl-cert
find . -type d -exec chmod g+xs {} \; # directories executable and setguid (set group ssl-cert for new files/dirs)
find . -type f -exec chmod g+r {} \; # files readable
#Restart Freeradius
service freeradius stop
service freeradius start
Additional infos: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04
I followed the instruction above, and it does not seem to work.
From a windows OS I get this:
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x3e833be03884222b... did not finish!
WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
This is describes here: http://wiki.freeradius.org/guide/Certificate_Compatibility
A Ubuntu just wont accept the certifikate.
So to me it looks like freeradius cant work with letsencrypt ?
Suggestion ?
As I do actually run two instances with two independent servers and domains via freeradius and letsencrypt - it somehow does work :).
There are some common problems, like i.e. not restarting the freeradius service after changing the cert or using an old freeradius version.
Another problem could be the used windows version. As described by the link embedded in the error message, Windows XP i.e. got some serious issues. There is a fix available for this, however, you should not use Windows XP anymore, so I did not test this. Another important thing is, that the time used on ALL your machines is accurate, i.e. your servers as well as clients.