Topic: Thoughts on letsencrypt.com?

[warren]

Found a typo (doing stuff in a hurry) - if you had looked in /var/log/messages first you would have seen it immediately no doubt (always check logs first - it helps a lot)

Try the following:

The following default db key should really be none and not all :

To check:

Code: [Select]

cat /etc/e-smith/db/configuration/defaults/letsencrypt/configure
If it says all then change it :

Code: [Select]

sed -i 's/all/none/' /etc/e-smith/db/configuration/defaults/letsencrypt/configure
Copy your file out of the way for safety

Code: [Select]

cp /etc/e-smith/templates/etc/letsencrypt.sh/domains.txt/10Domains ~/10Domains.backup
Fix my dodgy typos

Code: [Select]

sed -i 's/encypt/encrypt/g' /etc/e-smith/templates/etc/letsencrypt.sh/domains.txt/10Domains
Expand the template

Code: [Select]

expand-template /etc/letsencrypt.sh/domains.txt
And check

Code: [Select]

cat /etc/letsencrypt.sh/domains.txt
That should fix it and I'll push a fixed rpm tomorrow

Try varying the settings in test mode (followed by a console-save for each change) and run letsencrypt.sh and see what happens. Check your logs.....

The above worked, with all variations of hosts / domains , thank-you.

2. Yes, there may be difference between git and the wiki. This was built for my use and I give no guarantees on anything else..... I have been busy lately, updated git but not the wiki for v0.2

Thank you John for developing this We all appreciate yours and all who contribute to Koozali SME Server , and all deserve to be bought a couple of  

Have update wiki as well.

[warren]

0.2-6 in repo now - with above fixes.

Code: [Select]

yum --enablerepo=reetp install smeserver-letsencrypt
Please let me know what happens.

B. Rgds
John

Confirming that this works.

[ReetP]

Fantastic - thank you very much for testing and doing the wiki... !

There is one additional setting  as per git - I have added this to the wiki :

You can now use a db entry to set all domains or hosts regardless of status

config setprop letsencrypt letsencryptConfig none| all | domains | hosts

default is none

If you set to domains it will enable ALL domains regardless of individual settings. Hosts will be per host as normal.
If you set to hosts it will enable ALL hosts regardless of individual settings. Domains will be per domain as normal
If you set to all it will enable ALL hosts AND domains regardless of individual settings.

I am trying to track updates to the letsencrypt.sh script and will release a new version of that if there are any serious bugs or required modifications.

Let me know if there are further issues.

B. Rgds
John

[warren]

Thank you 

Just an observation , i need to re-test to make sure it was not a finger slip, but it seems that you need to add each individual host separately when doing  :
db hosts setprop...

in that this did not seem to work :

Code: [Select]

db hosts setprop www.mydomain.com proxy.mydomain.com wpad.mydomain.com letsencryptSSLcert enabled
signal-event console-save

Instead you have to do each host individually :

Code: [Select]

db hosts setprop www.mydomain.com letsencryptSSLcert enabled
db hosts setprop wpad.mydomain.com letsencryptSSLcert enabled
...
signal-event console-save


[ReetP]

Thank you 

Thanks where they are due

Just an observation , i need to re-test to make sure it was not a finger slip, but it seems that you need to add each individual host separately when doing  :
db hosts setprop...

in that this did not seem to work :

Code: [Select]

db hosts setprop www.mydomain.com proxy.mydomain.com wpad.mydomain.com letsencryptSSLcert enabled
signal-event console-save

Instead you have to do each host individually :

Code: [Select]

db hosts setprop www.mydomain.com letsencryptSSLcert enabled
db hosts setprop wpad.mydomain.com letsencryptSSLcert enabled
...
signal-event console-save


Quite possibly, but that would be a limitation/restriction of the current db system AFAIAA.

Only way round that 'easily' would be to have a server panel and a set of check boxes. I have never written a panel and am completely clueless about such things - quite frankly it's a miracle I a) coded something in perl and b) built a contrib/RPM

IF I ever get 3 minutes free I may have a look, but right now I am up to my neck in the smelly stuff !

B. Rgds
John

[Jean-Philippe Pialasse]

Thanks where they are due

Quite possibly, but that would be a limitation/restriction of the current db system AFAIAA.

Only way round that 'easily' would be to have a server panel and a set of check boxes. I have never written a panel and am completely clueless about such things - quite frankly it's a miracle I a) coded something in perl and b) built a contrib/RPM

IF I ever get 3 minutes free I may have a look, but right now I am up to my neck in the smelly stuff !

B. Rgds
John

I may repeat myself, but instead of using on property as a switch for domains all or hosts, having
- property hosts enabled/disabled
- property domains enabled/disabled

and using these two values as the default behaviour to all domain/hosts that are not defined individually, you can do it easily as I showed earlier

[ReetP]

I may repeat myself, but instead of using on property as a switch for domains all or hosts, having
- property hosts enabled/disabled
- property domains enabled/disabled

and using these two values as the default behaviour to all domain/hosts that are not defined individually, you can do it easily as I showed earlier

I get what you mean now. I can take a look when I get a moment.

[guest22]

Anyone have some thoughts on mixed content on a Letsencrypt secured connection?

https://www.bennish.net/mixed-content.html

It seems it is possible to bypass HTTPS by embedding objects from non secure sites... In the above example you will see the https connection turn grey because http content is being embedded.


More info https://github.com/atmos/camo

[Daniel B.]

This is not Letsencrypt specific. Most browsers handle it in some way (either block mixed content, warn the user, mark the connexion as insecure)

[piran]

>>Most browsers handle it in some way (either block mixed content, warn the user, mark the connexion as insecure)
Agreed. It's a feature. Useful when proofing an old http page into a new https page:-)

[DanB35]

This is not Letsencrypt specific.

Agreed.  My thought on mixed content is that it should be avoided when possible, but it isn't something that's really related to Let's Encrypt or any other CA.

[DanB35]

The official Let's Encrypt client has been renamed to certbot and moved to another location.  It still has the same dependency issues with SME9.  Since letsencrypt.sh has no dependency issues with SME8 or SME9, I propose removing the sections of the wiki that deal with the official client, and leaving the manual installation and use of letsencrypt.sh, and the section on John's contrib.  Thoughts?

[guest22]

The official Let's Encrypt client has been renamed to certbot and moved to another location.  It still has the same dependency issues with SME9.  Since letsencrypt.sh has no dependency issues with SME8 or SME9, I propose removing the sections of the wiki that deal with the official client, and leaving the manual installation and use of letsencrypt.sh, and the section on John's contrib.  Thoughts?

Agree, we should remove it. We can only document what we can support and what works stable for Koozali SME Server.

[piran]

>>Thoughts?
Agreed.

[DanB35]

Done.

The procedures for generating certs for internal servers will need to be updated, as they were also written for the official client.  I didn't want to remove the topic heading, but I have a warning box there now.