Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Obsolete Releases
  3. SME 9.x Contribs
  4. Topic: Fun with Letsencrypt
« previous next »
Pages: [1]   Go Down

Fun with Letsencrypt

  • 6 Replies
  • 2721 Views

Offline ricks1950

  • *
  • 40
  • +0/-0
Fun with Letsencrypt
« on: August 17, 2017, 08:35:55 PM »
I installed Letsencrypt and dehydrated following the wiki page about two months ago and got valid certificates.  When my renewal script ran, no errors were generated, new certificates were issued, but they were not valid.  I ran step by step through the wiki several times, and ran dehydrated and generated several generations of invalid certificates without errors. 

Long story short -- after much head scratching, hair pulling and a few choice words, checking and rechecking installation steps, I found in the /etc/dehydrated/config file this line:
# CA="https://acme-staging.api.letsencrypt.org/directory"
had lost the # and was uncommented, which caused the script to run in test mode and generate invalid certificates.

Now, I am past 60 (nearly 70) and do not remember everything that goes on around me or what I did, but between the certificate installation and the actual running of dehydrated to renew the certificates, I do not remember touching or even thinking about letsencrypt. 

I guess the message is simply, if something does not work check and double check your configuration. 

Both the contrib and the wiki are terrific, and do what they need to do.
Logged

guest22

Re: Fun with Letsencrypt
« Reply #1 on: August 17, 2017, 09:47:20 PM »
Hey Rick, good to see you found the root cause of your issue, and thanks for the heads up for the 'youngsters'!
Logged

Offline Jean-Philippe Pialasse

  • *
  • 2,761
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Fun with Letsencrypt
« Reply #2 on: August 18, 2017, 12:52:07 AM »
Quote from: ricks1950 on August 17, 2017, 08:35:55 PM
I installed Letsencrypt and dehydrated following the wiki page about two months ago and got valid certificates.  When my renewal script ran, no errors were generated, new certificates were issued, but they were not valid.  I ran step by step through the wiki several times, and ran dehydrated and generated several generations of invalid certificates without errors. 

Long story short -- after much head scratching, hair pulling and a few choice words, checking and rechecking installation steps, I found in the /etc/dehydrated/config file this line:
# CA="https://acme-staging.api.letsencrypt.org/directory"
had lost the # and was uncommented, which caused the script to run in test mode and generate invalid certificates.

if you do have installed smeserver-letsencrypt then the way to do was not to comment this line but to change the status property from test to enable, then signal-event console-save.

Quote from: ricks1950 on August 17, 2017, 08:35:55 PM
Now, I am past 60 (nearly 70) and do not remember everything that goes on around me or what I did, but between the certificate installation and the actual running of dehydrated to renew the certificates, I do not remember touching or even thinking about letsencrypt. 
if you had the contrib installed, then my guess is an upgrade occured or an event was triggered leading to the expand of the config file. Hence the removal of you commented line.
If you only configured this manually without installing the smeserver-letsencrypt then I have no clue neither!


Quote from: ricks1950 on August 17, 2017, 08:35:55 PM
I guess the message is simply, if something does not work check and double check your configuration. 

Both the contrib and the wiki are terrific, and do what they need to do.

thank you for your comment and for the terrific work of John on this one!
Logged

Offline ricks1950

  • *
  • 40
  • +0/-0
Re: Fun with Letsencrypt
« Reply #3 on: August 18, 2017, 06:16:47 AM »
It did occur to me that letsencrypt was in test mode and I entered

config setprop letsencrypt status enable
signal-event console-save

and ran dehydrated again with the same result. 

Maybe if I had set test mode and then enabled, it would have worked.

There may have been an update to the contrib, maybe that caused the problem.
Logged

Offline Jean-Philippe Pialasse

  • *
  • 2,761
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Fun with Letsencrypt
« Reply #4 on: August 18, 2017, 03:20:26 PM »
Any templates-custom?
Logged

Offline ricks1950

  • *
  • 40
  • +0/-0
Re: Fun with Letsencrypt
« Reply #5 on: August 18, 2017, 04:24:49 PM »
No custom templates or contribs other than letsencrypt on this server.  It is relatively new 64 bit hardware with a clean install of 9.1, yum updated to 9.2.  Data was restored from a 32 bit 9.1 machine.  This is my personal machine and serves as my main email server with a few email accounts.  I do occasionally use webmail, but there is not a lot of customisation.

Logged

Offline Jean-Philippe Pialasse

  • *
  • 2,761
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Fun with Letsencrypt
« Reply #6 on: August 18, 2017, 05:27:05 PM »
well, using the contrib you should not have any line such as
Code: [Select]
# CA="https://acme-staging.api.letsencrypt.org/directory"
you should find in/etc/dehydrated/config  either (if status=test)
Code: [Select]
CA="https://acme-staging.api.letsencrypt.org/directory"
or if status=enabled
Code: [Select]
CA="https://acme-v01.api.letsencrypt.org/directory"

Out of curiosity would be able to retrieve:
Code: [Select]
config show letsencrypt
rpm -qa smeserver-letsencrypt
rpm -qa dehydrated
Logged
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Obsolete Releases
  3. SME 9.x Contribs
  4. Topic: Fun with Letsencrypt