Topic: Thoughts on letsencrypt.com?

[ReetP]

I'm just hacking the contrib whilst waiting for wife to get back from her hysterctomoy op

[Jean-Philippe Pialasse]

I will patch the missing trailing slash in 40ACME for the smeserver-letsencrypt contrib shortly - still thinking how to do an 'all' for all domains/hosts.

Code: [Select]

    my $letsencryptStatus = $configDB->get_prop( 'letsencrypt', 'status' ) || 'disabled';
# is all ?
  my $allstatus= $configDB->get_prop( 'letsencrypt', 'AllDomainDefault' ) || 'disabled';


Code: [Select]

        # First get all the domains

        foreach my $domain (@domains) {
#  my $domainEnabled = $domainsDB->get_prop( "$domain", 'letsencryptSSLcert' ) || 'disabled';
            my $domainEnabled = $domainsDB->get_prop( "$domain", 'letsencryptSSLcert' ) || $allstatus;

            if ( $domainEnabled eq 'enabled' ) {

                #code

                $OUT .= "$domain ";
            }

this way the default will be al disabled
you can enable all
you can enable all BUT the one that are strictly disabled

if you forgot to remove the disabled in a domain, well screw you , you just have to check  !

[ReetP]

I have got something a little more subtle... but you have given me an idea to modify it a bit further. Will try and push an update later today.

[Jean-Philippe Pialasse]

Think I have twigged something. In the letsencypt contrib I think I have missed a trailing slash in the file /etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/40ACME

It is currently like this:

Code: [Select]

# Alias for letsencrypt
Alias /.well-known/acme-challenge /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
 I think it should be like this:

Code: [Select]

# Alias for letsencrypt
Alias /.well-known/acme-challenge/ /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
That matches the proxypass ignore line

Code: [Select]

ProxyPass /.well-known/acme-challenge/ !


defintively not to do, this led me to a 404 on the file in the acme directory : apache can list the file, but it is 404 when calling it, resulting in a failure to validate regular domains.


[Tue May 31 02:52:46 2016] [error] [client i.i.i.i] File does not exist: /home/e-smith/files/ibays/Primary/html/.well-known/acme-challengeTyV3pKWG-uCW42aNRgb0vXvWKZV8Yl4_dsdGw_LX-1E, referer: http://f.f.com/.well-known/acme-challenge/


see the rewriting lost a /

i can however confirm that :

Code: [Select]

# Alias for letsencrypt
Alias /.well-known/acme-challenge/ /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge/
would work with Primary domain , I hope this also solve the Rocket  issue

[ReetP]

I have updated the letsencrypt rpms

smeserver-letsencrypt-0.2-5.noarch
letsencrypt.sh-0.0.9.160523.gitd5b2858-1.noarch (contains v2 of the letsencrypt script)

Due to a trip to cockup city on my part with numbering the smeserver-letsencrypt rpm may not want to drag in the newer letsencrypt.sh rpm which it needs for letsencrypt.sh v2

You can grab a copy from my repo and install locally, or remove and reinstall all.

Brief Notes :

Modified the 40ACME URLs to add trailing /
Modified slightly the bash scripts in the spec file

Added new config entry :

You can now use 'all' to set all domains or hosts regardless of status

config setprop letsencrypt letsencyptConfig all | domains | hosts

Delete the key to go back to normal

Don't use it unless you know what you are doing...... and make sure you are in TEST mode first.

Please test (on a VM !)

Off to hospital again

[warren]

Strange, looks like it isn't seeing the config file any more:

Code: [Select]

[root@e-smith ~]# letsencrypt.sh -c
#
# !! WARNING !! No main config file found, using default config!
#
ERROR: WELLKNOWN directory doesn't exist, please create /usr/local/bin/.acme-challenges and set appropriate permissions.
[root@e-smith ~]# cd /etc/letsencrypt.sh/
[root@e-smith letsencrypt.sh]# ls
certs  config.sh  domains.txt  private_key.pem
[root@e-smith letsencrypt.sh]# rpm -qa | grep letsencrypt
letsencrypt.sh-0.0.9.160523.gitd5b2858-1.noarch
smeserver-letsencrypt-0.2-2.noarch
[root@e-smith letsencrypt.sh]#
Edit: Almost looks like it's looking for config, not config.sh:

Code: [Select]

# Setup default config values, search for and load configuration files
load_config() {
  # Check for config in various locations
  if [[ -z "${CONFIG:-}" ]]; then
    for check_config in "/etc/letsencrypt.sh" "/usr/local/etc/letsencrypt.sh" "${PWD}" "${SCRIPTDIR}"; do
      if [[ -e "${check_config}/config" ]]; then
        BASEDIR="${check_config}"
        CONFIG="${check_config}/config"
        break
      fi
    done
  fi

Edit 2:  And indeed, that's what's happened:  https://github.com/lukas2511/letsencrypt.sh/commit/d5b285868e35992027599d25411d80dfd0bf1048

I followed the wiki install instructions :

Code: [Select]

yum install smeserver-letsencrypt --enablerepo=reetp


reetp/primary_db                                         | 128 kB     00:00
Resolving Dependencies
--> Running transaction check
---> Package smeserver-letsencrypt.noarch 0:0.2-5 will be installed
--> Processing Dependency: letsencrypt.sh >= 0.0.9 for package: smeserver-letsen                                    crypt-0.2-5.noarch
--> Running transaction check
---> Package letsencrypt.sh.noarch 0:0.0.9.160523.gitd5b2858-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                  Arch      Version                      Repository
                                                                           Size
================================================================================
Installing:
 smeserver-letsencrypt    noarch    0.2-5                        reetp     26 k
Installing for dependencies:
 letsencrypt.sh           noarch    0.0.9.160523.gitd5b2858-1    reetp     21 k

Transaction Summary
================================================================================
Install       2 Package(s)

Total download size: 48 k
Installed size: 84 k
Is this ok [y/N]: y
Downloading Packages:
(1/2): letsencrypt.sh-0.0.9.160523.gitd5b2858-1.noarch.r |  21 kB     00:00
(2/2): smeserver-letsencrypt-0.2-5.noarch.rpm            |  26 kB     00:00
--------------------------------------------------------------------------------
Total                                            42 kB/s |  48 kB     00:01
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : letsencrypt.sh-0.0.9.160523.gitd5b2858-1.noarch              1/2
  Installing : smeserver-letsencrypt-0.2-5.noarch                           2/2
/var/tmp/rpm-tmp.TRCbMd: line 5: [[!: command not found
/var/tmp/rpm-tmp.TRCbMd: line 9: [[!: command not found
/var/tmp/rpm-tmp.TRCbMd: line 13: [[!: command not found
/var/tmp/rpm-tmp.TRCbMd: line 17: [[!: command not found
/var/tmp/rpm-tmp.TRCbMd: line 21: [[!: command not found
###################################################################
# After install please set your db keys
# Make sure you set the letsencrypt status key to test
# Enable some domains or hosts
# Then run the following
# signal-event console-save
# letsencrypt.sh -c
# Once you are satisfied set the letsencrypt status key to enabled
# mv /etc/letsencrypt.sh/private_key.pem /etc/letsencrypt.sh/private_key.test
# Run the letesencypt.sh file again to generate your keys
# signal-event console-save
# letsencrypt.sh -c -x
# Thereafter only use
# letsencrypt.sh -c
# If you make any key changes run console-save first
###################################################################
Migrating existing database spamassassin
Migrating existing database domains
Migrating existing database hosts
Migrating existing database configuration
Migrating existing database yum_repositories
Migrating existing database accounts
Migrating existing database networks
Migrating existing database yum_installed
Migrating existing database yum_available
Migrating existing database yum_updates
Migrating existing database mailpatterns
Migrating existing database backups
  Verifying  : smeserver-letsencrypt-0.2-5.noarch                           1/2
  Verifying  : letsencrypt.sh-0.0.9.160523.gitd5b2858-1.noarch              2/2

Installed:
  smeserver-letsencrypt.noarch 0:0.2-5

Dependency Installed:
  letsencrypt.sh.noarch 0:0.0.9.160523.gitd5b2858-1

Complete!

==============================================================
WARNING: You now need to run BOTH of the following commands
to ensure consistent system state:

signal-event post-upgrade; signal-event reboot

You should run these commands unless you are certain that
yum made no changes to your system.
Then ran :

Code: [Select]

expand-template /etc/httpd/conf/httpd.conf
service httpd-e-smith restart
Followed by adding db settings : ( set correct email domain

Code: [Select]

# config setprop letsencypt email admin@myactualdomain.com

# config setprop letsencrypt status test

# db domains setprop myactualdomain.com letsencryptSSLcert enabled

# signal-event console-save



and am getting the following Error when running letsencrypt.sh -c -x

Code: [Select]

# letsencrypt.sh -c
# INFO: Using main config file /etc/letsencrypt.sh/config
+ Generating account key...
+ Registering account key with letsencrypt...
ERROR: domains.txt not found and --domain not given
If i look in the quote from Dan35 above i see that in  /etc/letsencrypt.sh there is a file called : domains.txt

Question , must this be manually created ?
does the  db domains setprop myactualdomain.com letsencryptSSLcert enabled and signal-event console-save not create this file ?

If i manually create the file /etc/letsencrypt.sh/domains.txt with the domain name in it , then the command letsencrypt.sh -c -x runs without errors

[ReetP]

With the new version of letsecncrypt.sh 'config.sh' was renamed to 'config' (their decision, not mine)

domains.txt should be created on a signal-event console-save

Can you do :

cat /etc/letsencrypt.sh/domains.txt

You shouldn't have to expand any templates such as httpd - it should be done for you on a console-save

Read here for more details on setup

https://github.com/reetp/smeserver-letsencrypt/tree/smeserver-letsencrypt-0.2

Make sure you use test mode until everything seems to work. Check your logs e.g. /var/log/messages for any processing errors.

Post back if you have issues.

B. Rgds
John

[Jean-Philippe Pialasse]

warren,

maybe it is not created or empty if the domains / hosts configuration and individual domains are not set to enabled, which you did not described in the steps you gave, check the new procedure of the newly built rpm.

[warren]

Hi John

Posted by: ReetP
« on: Today at 04:53:13 AM »

domains.txt should be created on a signal-event console-save

I found that this was not the case. Error below is what set me to look to see if domains.txt had been created.

Posted by: warren
« on: Today at 04:04:30 AM »
# letsencrypt.sh -c
# INFO: Using main config file /etc/letsencrypt.sh/config
+ Generating account key...
+ Registering account key with letsencrypt...
ERROR: domains.txt not found and --domain not given

Can you do :

cat /etc/letsencrypt.sh/domains.txt

This file is there , I created manually. and it contains the correct domain name in following format:

Code: [Select]

myactualdomain.com

[warren]

warren,

maybe it is not created or empty if the domains / hosts configuration and individual domains are not set to enabled, which you did not described in the steps you gave, check the new procedure of the newly built rpm.

I ran the command to enable the domains as below :

I followed the wiki install instructions :

yum install smeserver-letsencrypt --enablerepo=reetp

.....
# After install please set your db keys
# Make sure you set the letsencrypt status key to test
# Enable some domains or hosts
# Then run the following
# signal-event console-save
# letsencrypt.sh -c
# Once you are satisfied set the letsencrypt status key to enabled
# mv /etc/letsencrypt.sh/private_key.pem /etc/letsencrypt.sh/private_key.test
# Run the letesencypt.sh file again to generate your keys
# signal-event console-save
# letsencrypt.sh -c -x
# Thereafter only use
# letsencrypt.sh -c
# If you make any key changes run console-save first

Then ran :

Code: [Select]

expand-template /etc/httpd/conf/httpd.conf
service httpd-e-smith restart
Followed by adding db settings : ( set correct email domain
# config setprop letsencypt email admin@myactualdomain.com

# config setprop letsencrypt status test

# db domains setprop myactualdomain.com letsencryptSSLcert enabled

# signal-event console-save


....

Also seems to be a disconnect between wiki instructions and those on https://github.com/reetp/smeserver-letsencrypt/blob/smeserver-letsencrypt-0.2/README.md

[ReetP]

Found a typo (doing stuff in a hurry) - if you had looked in /var/log/messages first you would have seen it immediately no doubt (always check logs first - it helps a lot)

Try the following:

The following default db key should really be none and not all :

To check:

Code: [Select]

cat /etc/e-smith/db/configuration/defaults/letsencrypt/configure
If it says all then change it :

Code: [Select]

sed -i 's/all/none/' /etc/e-smith/db/configuration/defaults/letsencrypt/configure
Copy your file out of the way for safety

Code: [Select]

cp /etc/e-smith/templates/etc/letsencrypt.sh/domains.txt/10Domains ~/10Domains.backup
Fix my dodgy typos

Code: [Select]

sed -i 's/encypt/encrypt/g' /etc/e-smith/templates/etc/letsencrypt.sh/domains.txt/10Domains
Expand the template

Code: [Select]

expand-template /etc/letsencrypt.sh/domains.txt
And check

Code: [Select]

cat /etc/letsencrypt.sh/domains.txt
That should fix it and I'll push a fixed rpm tomorrow

Try varying the settings in test mode (followed by a console-save for each change) and run letsencrypt.sh and see what happens. Check your logs.....


Notes.....

1. You do not need to expand the httpd template or restart httpd with the rpm. It does this automagically for you (the wiki is incorrect as a console-save does this for you)
2. Yes, there may be difference between git and the wiki. This was built for my use and I give no guarantees on anything else..... I have been busy lately, updated git but not the wiki for v0.2

Thanks for taking the time to report this.

B. rgds
John

[ReetP]

0.2-6 in repo now - with above fixes.

Code: [Select]

yum --enablerepo=reetp install smeserver-letsencrypt
Please let me know what happens.

B. Rgds
John

[ReetP]

Note I have also spotted a cockup in the file handling department in the spec file - it won't affect anything - it's just there to move old files out of the way. Will fix later.

[warren]

Busy testing now... wil revert.

Note : Also Spelling errors in both wiki https://wiki.contribs.org/Letsencrypt#Install_with_John_Crisp_contrib  have highlighted incorrect spelling in red.

set email

 config setprop letsencypt email my@email.com

and https://github.com/reetp/smeserver-letsencrypt/blob/smeserver-letsencrypt-0.2/README.md

config setprop letsencypt email (defaults to empty)
config setprop letsencypt keysize (defaults to 4096)

[ReetP]

Cool. Way past my bed time but will fix on the morning.

B. Rgds
Johm