Add Let's Encrypt guide

conf/nginx/inc/letsencrypt

@@ -0,0 +1,5 @@
+listen 80;
+
+location /.well-known/acme-challenge {
+	alias /data/letsencrypt;
+}

doc/Lets-Encrypt.md

@@ -0,0 +1,62 @@
+# Introduction
+
+[Let's Encrypt](https://letsencrypt.org) is a Certificate Authority that
+issues SSL certificates for free.
+Validation is done by checking a file on the web server.
+**Awesome!**
+
+See the introduction video:
+[Let's Encrypt - A Free Robotic Certificate Authority](https://www.youtube.com/watch?v=OZyXx8Ie4pA)
+
+# Get Free Certificate
+
+The [official client](https://github.com/letsencrypt/letsencrypt)
+is fully automated. However, it uses root and installs packages.
+
+This guide uses [acme-tiny](https://github.com/diafygi/acme-tiny), because:
+
+* It does not attempt to modify server config files
+* Works with any X.509 certificate
+* Does not require root
+* Small single-file Python script
+
+Download:
+
+	wget https://github.com/diafygi/acme-tiny/raw/master/acme_tiny.py
+
+## 1. Create User Account
+
+*Note: Only needed the first time.*
+
+	openssl genrsa -out user.key 4096
+
+## 2. Generate Domain Key
+
+*Note: Only needed the first time, or when changing the key.*
+
+	openssl genrsa -out domain.key 2048
+
+## 3. Create Challenge/Response Directory
+
+*Note: Only needed when requesting a certificate in Step 5.*
+
+Create a directory which is readable by the web server
+and writable by the user executing acme-tiny. This guide uses `/data/letsencrypt`.
+
+For Nginx, the config snippet [`inc/letsencrypt`](../conf/nginx/inc/letsencrypt) can be included.
+It may be necessary to disable `listen 80` in the vhost config file.
+
+## 4. Generate Certificate Signing Request
+
+`CMDSAN` lists all domains to include in the certificate.
+
+	CMDSAN="DNS:www.example.com,DNS:otherhost.example.com"
+
+	openssl req -new -key domain.key -out domain.csr -subj / \
+	-reqexts CMDSAN -config <(cat /etc/ssl/openssl.cnf <(printf "[CMDSAN]\nsubjectAltName=$CMDSAN\n"))
+
+## 5. Request Certificate
+
+**Note: This step needs to be repeated every less than 90 days.**
+
+	python acme_tiny.py --account-key user.key --csr domain.csr --acme-dir /data/letsencrypt > domain.crt

doc/OpenSSL.md

@@ -1,6 +1,7 @@
 Links
 =====
 
+* **[Free certificates with Let's Encrypt](./Lets-Encrypt.md)**
 * [OpenSSL usage tips and examples](http://conshell.net/wiki/index.php/OpenSSL_usage_tips_and_examples)
 * [Multiple SSL Sites Using SubjectAltName](https://www.linode.com/docs/security/ssl/multiple-ssl-sites-using-subjectaltname)
 * [Is TLS fast yet](https://istlsfastyet.com/)
@@ -12,6 +13,8 @@ Links
 Commands
 ========
 
+Note: Common Name = Host
+
 Generate RSA Key
 ----------------
 
@@ -28,7 +31,10 @@ With *existing* key:
 
 	openssl req -new -key example.key -out example.csr
 
-Common Name = Host
+With existing key and *Subject Alternative Names:*
+
+	CMDSAN="DNS:www.example.com"
+	openssl req -new -key example.key -out example.csr -reqexts CMDSAN -subj / -config <(cat /etc/ssl/openssl.cnf <(printf "[CMDSAN]\nsubjectAltName=$CMDSAN\n"))
 
 Generate Self-Signed Certificate
 --------------------------------
@@ -41,7 +47,6 @@ With *existing* key:
 
 	openssl req -new -key example.key -x509 -days 730 -out example.crt
 
-
 Sign CSR by CA with Subject Alternative Names
 ---------------------------------------------