Make openSUSE the first distribution to support LetsEncrypt/ACME natively, in order to provide easy TLS encryption for all services. openSUSE users should be able to

  1. Request certificates for associated host names and keep them up-to-date.
  2. Use these certificate to configure their services (e.g. web, mail, etc).

Proposed Actions

  1. Evaluate yast2-certificate-management for fitness. Decide on whether to extend it or write a new module.
  2. Make use of an existing ACME client. Evaluate e.g. certbot, acmetool, dehydrated for fitness. YaST modules should not provide new functionality, only integration
  3. Extend yast2-http-server, yast2-mail, etc accordingly

Call for collaborators

Knowledge of either Ruby, YaST-Internals and ACME/TLS/X509 is useful, but not strictly necessary. I will give an introduction on the TLS related topics on Tuesday. It would be nice to have a YaST expert on the team.

Stretch Goals

  • Set Security Headers such as HTTP Strict Transport Security.
  • Set Certificate Pinning Header ( This requires creating backup keys to be useful. Might not even be a good idea (
  • Update the crypto parameters in Apache/Postfix/etc. Lets talk to security folks about that.
  • Discuss whether and how to approach this from the SUSE Manager end.


A default setup should achieve an A/A+ rating on

Further Readings




Fate #320148.

Looking for hackers with the skills:

Nothing? Add some keywords!

This project is part of:

Hack Week 15



Similar Projects

This project is one of its kind!