Topic: Thoughts on letsencrypt.com?

[KevinG]

Why are you suggesting server only mode is not supported?

The first test box I set up was server only and worked fine.

Am I missing something?

Ah, I think if it was behind a NAT router you would have problems, but if it is straight on a public IP it is fine.  So we probably need a note about NAT, or a recommendation to setup and renew with direct connection?

Once you have the certificates they seem to work ok through the NAT (I can double check at the office tomorrow)

Apologies that this is a bit of a ramble.

Kevin

[DanB35]

Maybe we need to add to the wiki page that server-gateway mode is the only supported mode?

Since this isn't really "supported" at all (it isn't even a contrib yet, much less part of the official distro), and SSL certificates certainly ought to work in sever-only mode, I wouldn't think a note like this would really be appropriate.  I've added a statement to the prerequisites that port 80 must be open to the outside (I don't believe it's the case that both ports 80 and 443 need to be open for the client to run, but obviously 443 needs to be open for the normal use of the certificate), which I'd think would really be adequate.

[guest22]

Good enough for me


psss, did you know that SME Server 9.1 just got released....

[DanB35]

psss, did you know that SME Server 9.1 just got released....

Nope, there's no release announcement here in the forums, and I don't visit the contribs.org home page that often.  Can I upgrade from 9.0 using yum, or do I need to download the ISO, down the server, boot from the ISO, and do an upgrade that way?

[KevinG]

And there was me thinking I'd get a break from SME for a bit tomorrow

[guest22]

Nope, there's no release announcement here in the forums, and I don't visit the contribs.org home page that often.  Can I upgrade from 9.0 using yum, or do I need to download the ISO, down the server, boot from the ISO, and do an upgrade that way?

It's just hitting the mirrors for the next 48 hours. Yum will do the trick.

[DanB35]

Great!  I assume release notes will be posted shortly?

[KevinG]

It's not on the UK mirror, but have downloaded from

http://sme-mirror.firewall-services.com/releases/9.1/iso/x86_64/

[guest22]

Great!  I assume release notes will be posted shortly?

Announcement and release notes will follow shortly. After all mirrors have been synced. just gave a heads up on what's coming...

[adamcyberspace]

My issue is that I continued to create the certificates after i got an error message from Letsencrypt. This killed my web server.. My server is  setup in "server only"  mode and I have all the right ports forwarded through the firewall. Are you saying that Server only mode wont work? Why not?

[guest22]

What's the error please? What do the logs say, what did you see?

[DanB35]

My issue is that I continued to create the certificates after i got an error message from Letsencrypt.

What I think you did wasn't to create the certificates (it's the letsencrypt client and server that do that), but instead to set config database entries pointing to a certificate, chain, and key that didn't exist.  That would most definitely kill your web server.

The error message given by the client indicates that the letsencrypt server wasn't able to resolve livingnatural.com.au.  I don't know why that would be; I'm able to resolve it to 139.218.184.183.

I'd suggest trying again.  Do

Code: [Select]

# cd /opt/letsencrypt
# service httpd-e-smith stop
# scl enable python27
# ./letsencrypt-auto certonly --standalone --email adam@livingnatural.com.au -d livingnatural.com.au
# service httpd-e-smith start
...and stop there, and post the output here.  This should be safe to run, as it won't change any of your server configuration.  Also post the output of 'ls -l /etc/letsencrypt/live/livingnatural.com.au/'

BTW, do you want more than one host name on the certificate?  If I browse to livingnatural.com.au, I'm automatically redirected to www.livingnatural.com.au; wouldn't you want the www. hostname on the certificate as well?  If so, that's easy to do; just add "-d www.livingnatural.com.au" to the end of the letsencrypt-auto command.

[adamcyberspace]

My server runs as a VM on Proxmox. Before installing Letsencrypt i took a snapshot..   I have since restored to the working version. I did take a post implementation snapshot with the broken config. When I  get a chance  i  may restore to a new VM. but I suspect it may be quicker to snapshot again and start the letsencrypt install from scratch. 

[DanB35]

I'd suggest installing letsencrypt (which requires as prerequisites only installing scl-utils and python27 from the scl-python27 repository), and then taking a snapshot before running it.  Your server at that point should be in an entirely safe and consistent state.  Then try what I suggested above.

[KevinG]

Adam

If letsencrypt gets as far as a can't resolve error then python etc is all in place OK and you have to be looking at a connectivity issue of some sort.  I had the same error on a test box until I made it public facing.

I shall experiment with port forwarding through a NAT if I get a moment later (unless anyone else can report their experiences)