Topic: Thoughts on letsencrypt.com?

[KevinG]

Getting there slowly (I hope)

After installing Python2.7 and pip for instructions at http://wiki.contribs.org/Python_Altinstall

It progresses to:

The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError()

It seems the --apache looks for a debian install, though it appears possible to set the following paths:

  --apache-ctl APACHE_CTL
   --apache-enmod APACHE_ENMOD
   --apache-dismod APACHE_DISMOD
  --apache-le-vhost-ext APACHE_LE_VHOST_EXT
  --apache-server-root APACHE_SERVER_ROOT

I have set --apache-server-root /etc/httpd --apache-ctl /usr/sbin/apachectl --apache-dismod /usr/bin/sedismod but am struggling to find any more to set.

I am still getting the no installation error

Thanks

[DanB35]

I thought I read in their docs yesterday that the apache plugin requires apache 2.4, while CentOS 6 (and thus SME 9) uses 2.2.  Even so, with the config file templating that SME does, I don't think you'd want to have the letsencrypt client make the config changes to use the new certs.  What should work (I think), once the cert is generated, is to do

config setprop modSSL crt /path/to/crt
config setprop modSSL key /path/to/key
signal-event post-upgrade
signal-event reboot

...and the cert and key are in /etc/letsencrypt somewhere.

[Stefano]

Getting there slowly (I hope)

After installing Python2.7 and pip for instructions at http://wiki.contribs.org/Python_Altinstall

It progresses to:

The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError()

It seems the --apache looks for a debian install, though it appears possible to set the following paths:

  --apache-ctl APACHE_CTL
   --apache-enmod APACHE_ENMOD
   --apache-dismod APACHE_DISMOD
  --apache-le-vhost-ext APACHE_LE_VHOST_EXT
  --apache-server-root APACHE_SERVER_ROOT

I have set --apache-server-root /etc/httpd --apache-ctl /usr/sbin/apachectl --apache-dismod /usr/bin/sedismod but am struggling to find any more to set.

I am still getting the no installation error

Thanks

please, don't mess with apache.. I mean: SME is not a plain Centos and so it differs a bit from Centos.

that said, your best bet is to use letsencrypt just like this example:

Code: [Select]

/letsencrypt-auto certonly --standalone --email admin@thing.com -d thing.com -d www.thing.com

then install your certificate (search the wiki, you'll find many usefull hints)

[DanB35]

then install your certificate (search the wiki, you'll find many usefull hints)

Question about installing the certificate.  The wiki at http://wiki.contribs.org/Custom_CA_Certificate#configuring_your_sme_with_your_new_certificate says to copy the cert and key to /home/e-smith/ssl.crt/ and /home/e-smith/ssl.key/, respectively.  The letsencrypt client puts them somewhere in /etc/letsencrypt.  Although it doesn't sound like this part is functioning yet, it's the goal of the letsencrypt folks to automate cert renewals as well, which would likely work best if the cert and key stay where the letsencrypt client puts them.

Since the config db entries call for a full pathname anyway, is there any reason that the cert and key need to be in /home/e-smith/?  Or, put differently, is there any reason not to leave them in /etc/letsencrypt/?  The only issue I can think of is that /etc/letsencrypt/ isn't backed up by the standard SME backup mechanisms, but it's easy enough to add a db entry to do so.

[KevinG]

...just about there ...

Thanks guys

I have got it to:    Error: The client lacks sufficient authorization

Which I guess is because this test box isn't accessible from the outside world.  With hindsight this would seem a realistic prerequisite!

I'll create a public dns entry for it and route to it now and then test again.

[Stefano]

thank you

please, report here all you can, letsencrypt's stuff sounds very interesting.

[Stefano]

Question about installing the certificate.  The wiki at http://wiki.contribs.org/Custom_CA_Certificate#configuring_your_sme_with_your_new_certificate says to copy the cert and key to /home/e-smith/ssl.crt/ and /home/e-smith/ssl.key/, respectively.  The letsencrypt client puts them somewhere in /etc/letsencrypt.  Although it doesn't sound like this part is functioning yet, it's the goal of the letsencrypt folks to automate cert renewals as well, which would likely work best if the cert and key stay where the letsencrypt client puts them.

Since the config db entries call for a full pathname anyway, is there any reason that the cert and key need to be in /home/e-smith/?  Or, put differently, is there any reason not to leave them in /etc/letsencrypt/?  The only issue I can think of is that /etc/letsencrypt/ isn't backed up by the standard SME backup mechanisms, but it's easy enough to add a db entry to do so.

ATM, AFAIK, the big show stoppers about letsencrypt on SME are:
1) it needs python2.7 and even if we can use scl to install another python version, this is not easy as 1,2,3..
2) there's no available rpms, and so we need to download/install it via git
3) it is still in beta

once it will be released as stable, I'm quite sure that rpms will be available (I saw some NFR on RH's bugzilla about it).. then we could think about how to make it work in SME.. there will be likely a smeserver-letsencrypt rpm that will bring all the needed templates/fragments to make it usable in the easiest and safest way (as usual, I'd add )

[DanB35]

1) it needs python2.7 and even if we can use scl to install another python version, this is not easy as 1,2,3..
2) there's no available rpms, and so we need to download/install it via git
3) it is still in beta

Understood on all counts.  So, with that said, to my previous question--do the cert and key need to be in /home/e-smith/, or can they be in an arbitrary other location with the correct path fed to the config database?  And other than that other location not being included in the default backup set (which can be controlled with its own config db entry), is there any reason to prefer one over the other?

[KevinG]

One it was available on the internet the program ran (once I had stopped httpd)

It has created files
cert.pem
chain.pem
fullchain.pem
privkey.pem

It returned a message along the lines of your certificate is available at ..../fullchain.pem

So I typed

config setprop modSSL crt /path/to/fullchain.pem
config setprop modSSL key /path/to/fullchain.pem
signal-event post-upgrade
signal-event reboot

The box stopped serving web pages

Replacing fullchain, with cert.pem and privkey.pem and rerunning the above, now serves web pages but firefox still reports this page is not trusted ...

Are cert and privkey the correct certificates? Any ideas?

[KevinG]

The plot thickens

The certificate has been saved OK but firefox does not recognise it:

See attached

[KevinG]

On further examination, Chrome 47.0 and ie11 seem OK!

Firefox version 42.0.

Time to ask Let's Encrypt I feel.

When I have everything running OK I'll post the entire recipe.

[KevinG]

I have found a post that suggests I should edit the apache ssl.conf file and insert a pointer to an SSLCertificateChainFile

I have got the chain file. 

I cannot find anything on contribs.org to suggest where to put this

I guess somewhere like setpro modssl.

Is it as simple as

config setprop modSSL SSLCertificateChainFile /etc/letsencrypt/rest of file location/

Thanks

[Stefano]

http://wiki.contribs.org/Certificates_Concepts#Custom_Certificate

[Stefano]

The box stopped serving web pages
Replacing fullchain, with cert.pem and privkey.pem and rerunning the above, now serves web pages but firefox still reports this page is not trusted ...
Are cert and privkey the correct certificates? Any ideas?

yes.. time to dig into log files

moreover, please post all your relevant steps in bugzilla too (bug reference is above), thank you

[KevinG]

http://wiki.contribs.org/Certificates_Concepts#Custom_Certificate

That is just what I need.

I can't ssh from here so will look in the morning.

Thanks again