Topic: StartSSL Issue

[nicolatiana]

Hi everybody

Has anyone recently tried to issue a free certificate with StartSSL ? The StartSSL control panel has been completely renewed and so the wiki explanations in the How-To section are no more consistent. Particularly I'm not able to identify which are ca.pem and sub.class1.server.ca.pem certificate chain files to be downloaded and merged to create the pem file for SME.

Nicola

[guest22]

Nicola,


did you see the new Letsencrypt wiki page and the discussion on bugzilla?

[DanB35]

http://wiki.contribs.org/Letsencrypt

[nicolatiana]

Many thanks RequestedDeletion: no I did not realize about it. I will make some test on it. I was in great hurry to give a solution from remote so i reverted back to local c.a. for next days.

Just a question: the letsencrypt stuff is SME8 compatible ?

Nicola

[DanB35]

As far as I know, all the testing of letsencrypt has been done with SME 9.  I'll see if I can spin up an SME 8.1 VM to test it a little bit.

[DanB35]

Never mind--the method described on the wiki page depends on software collections, which are only available on SME 9 64-bit.  There's quite a bit of discussion on http://bugs.contribs.org/show_bug.cgi?id=8676 about using a different script, which shouldn't have any SME 9 dependencies, but I'm not aware of any place where it's written up nicely at this point.

[DanB35]

I've added some notes to the wiki on installing and using letsencrypt.sh.  No doubt it's rough at this point, but it should work on SME 8 as well as 9.  See http://wiki.contribs.org/Letsencrypt#Installation_of_Letsencrypt.sh

[brianr]

I've added a comment to your section which points out that scl-python27 is also still required. Else anyone who uses your link to the section may not have seen the requirement.

[DanB35]

I don't believe that's correct--letsencrypt.sh doesn't use python at all, as I understand it.  According to its README file, its only dependencies are openssl, curl, sed, grep, and mktemp.  What indicates to you that any version of Python (particularly 2.7) is required?

[brianr]

the refresh task looked as though it needed scl-python27 from your command.

If that is not the case, then please accept my apologies.

Here is the command you posted:

Code: [Select]

scl enable python27 '/opt/letsencrypt-renew.sh'

Edit: aha - I see that may not be the bit you put in.  However to run the refresh you will need python2.7?

[DanB35]

Ah, yes, I see why you'd think that.  The refresh task would be completely different with letsencrypt.sh, and I haven't written that up yet.

[brianr]

Ah, yes, I see why you'd think that.  The refresh task would be completely different with letsencrypt.sh, and I haven't written that up yet.

ok, I see - so we'd better take out my addition.  Perhaps a warning or something th that effect would be sensible?

[DanB35]

I just put in a placeholder for renewal using letsencrypt.sh.  Probably won't get to actually writing it until Monday or Tuesday, but it should at least make clearer that the existing instructions only apply to using the official client.

[brianr]

I just put in a placeholder for renewal using letsencrypt.sh.  Probably won't get to actually writing it until Monday or Tuesday, but it should at least make clearer that the existing instructions only apply to using the official client.

thanks.

[brianr]

I've tried this now on my 9.1 Server, but I got "Challenge invalid" from the primary domain when I tried to create the certs.

I can't find a description of what the package does to validate the domain. Does it need an A record pointing to the server?

I have Mx records pointing to it, but not A records, the server is on a dynamic IP address and uses a dyndns domain to track the IP address (mmm - perhaps that means it will never work?)

PS - perhaps I only need an internal Cert, so that the local PCs outlook etc work seamlessly.

[DanB35]

I'm not certain exactly what type of DNS record would be required, but I believe it would be either an A or a CNAME record.  For each hostname for which you're seeking a cert, the ACME server tries to connect to http://$HOSTNAME/.well-known/acme-challenge/$LONGSTRING and ensure that file contains the correct contents.  $LONGSTRING and its contents both look random, but are in fact cryptographically generated somehow.

[brianr]

I'm not certain exactly what type of DNS record would be required, but I believe it would be either an A or a CNAME record.  For each hostname for which you're seeking a cert, the ACME server tries to connect to http://$HOSTNAME/.well-known/acme-challenge/$LONGSTRING and ensure that file contains the correct contents.  $LONGSTRING and its contents both look random, but are in fact cryptographically generated somehow.

aha - that is very useful, I'll see if I can arrange that!!

[DanB35]

I've made some significant revisions to the letsencrypt.sh portions of the wiki page--the installation process is revised, and the renewal process is added.  It should work on SME 8.x as well as 9.x.

Edit:  There's also an RPM in development which will probably take away most of the manual work in this, but I don't know when we should expect to see it released.

[ReetP]

I've added some notes to the wiki on installing and using letsencrypt.sh.  No doubt it's rough at this point, but it should work on SME 8 as well as 9.  See http://wiki.contribs.org/Letsencrypt#Installation_of_Letsencrypt.sh

Dan,

could you add some notes about the contrib I am trying to build ?

For those interested see http://bugs.contribs.org/show_bug.cgi?id=8676

http://www.reetspetit.com/smeserver/6/repoview/smeserver-letsencrypt.html

http://wiki.contribs.org/User:ReetP

https://github.com/reetp/smeserver-letsencrypt/tree/smeserver-letsencrypt-0.1

We may get some help testing, and then everyone is using the same software

Although this is technically built for v9 as far as I am aware it should build and run on v8 currently

B. Rgds
John

[DanB35]

could you add some notes about the contrib I am trying to build?

Glad to.  Would you like me to simply note that a contrib is under development, or link to the bug/repo page/something else?

[ReetP]

Glad to.  Would you like me to simply note that a contrib is under development, or link to the bug/repo page/something else?

Whatever you want - more the better I guess !

Would normally do it myself but would be grateful if you could take that off my hands right now...

B. Rgds
John

[DanB35]

I added a note under Introduction.

[ReetP]

I added a note under Introduction.

Thank you. All a bit messy here right now as you can imagine.

[DanB35]

Indeed.  I considered trying to document the contrib, but I thought it better to let it settle a bit first.  In the meantime, there's notice that there's one in progress, and pointers to more info.

[DanB35]

Update:  It turns out that letsencrypt.sh currently relies on a feature of sed that isn't present in SME 8.  Hopefully this will be resolved shortly, but until then, don't expect that the instructions on the wiki will work.  Check out the bug tracker for all the details.

[ReetP]

Update:  It turns out that letsencrypt.sh currently relies on a feature of sed that isn't present in SME 8.  Hopefully this will be resolved shortly, but until then, don't expect that the instructions on the wiki will work.  Check out the bug tracker for all the details.

Seems they have fixed it.

Just updating things now.

http://bugs.contribs.org/show_bug.cgi?id=8676

[brianr]

I have started a bugzilla entry for the server panel to go with this.

http://bugs.contribs.org/show_bug.cgi?id=9196

All contributions gratefully accepted!