Koozali.org: home of the SME Server

StartSSL Issue

Offline nicolatiana

  • *
  • 724
  • +0/-0
StartSSL Issue
« on: January 08, 2016, 11:30:39 AM »
Hi everybody

Has anyone recently tried to issue a free certificate with StartSSL ? The StartSSL control panel has been completely renewed and so the wiki explanations in the How-To section are no more consistent. Particularly I'm not able to identify which are ca.pem and sub.class1.server.ca.pem certificate chain files to be downloaded and merged to create the pem file for SME.

Nicola
Consulente di Smeserver.it -  Soluzioni e supporto su Sme server in Italia.

guest22

Re: StartSSL Issue
« Reply #1 on: January 08, 2016, 12:26:38 PM »
Nicola,


did you see the new Letsencrypt wiki page and the discussion on bugzilla?

Offline DanB35

  • *****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: StartSSL Issue
« Reply #2 on: January 08, 2016, 01:13:06 PM »
......

Offline nicolatiana

  • *
  • 724
  • +0/-0
Re: StartSSL Issue
« Reply #3 on: January 08, 2016, 03:57:10 PM »
Many thanks RequestedDeletion: no I did not realize about it. I will make some test on it. I was in great hurry to give a solution from remote so i reverted back to local c.a. for next days.

Just a question: the letsencrypt stuff is SME8 compatible ?

Nicola
Consulente di Smeserver.it -  Soluzioni e supporto su Sme server in Italia.

Offline DanB35

  • *****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: StartSSL Issue
« Reply #4 on: January 08, 2016, 04:02:58 PM »
As far as I know, all the testing of letsencrypt has been done with SME 9.  I'll see if I can spin up an SME 8.1 VM to test it a little bit.
......

Offline DanB35

  • *****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: StartSSL Issue
« Reply #5 on: January 08, 2016, 04:15:21 PM »
Never mind--the method described on the wiki page depends on software collections, which are only available on SME 9 64-bit.  There's quite a bit of discussion on http://bugs.contribs.org/show_bug.cgi?id=8676 about using a different script, which shouldn't have any SME 9 dependencies, but I'm not aware of any place where it's written up nicely at this point.
......

Offline DanB35

  • *****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: StartSSL Issue
« Reply #6 on: January 08, 2016, 10:46:01 PM »
I've added some notes to the wiki on installing and using letsencrypt.sh.  No doubt it's rough at this point, but it should work on SME 8 as well as 9.  See http://wiki.contribs.org/Letsencrypt#Installation_of_Letsencrypt.sh
......

Offline brianr

  • *
  • 991
  • +2/-0
Re: StartSSL Issue
« Reply #7 on: January 09, 2016, 09:05:58 AM »
I've added a comment to your section which points out that scl-python27 is also still required. Else anyone who uses your link to the section may not have seen the requirement.
Brian j Read
(retired, for a second time, still got 2 installations though)
The instrument I am playing is my favourite Melodeon.
.........

Offline DanB35

  • *****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: StartSSL Issue
« Reply #8 on: January 09, 2016, 12:25:49 PM »
I don't believe that's correct--letsencrypt.sh doesn't use python at all, as I understand it.  According to its README file, its only dependencies are openssl, curl, sed, grep, and mktemp.  What indicates to you that any version of Python (particularly 2.7) is required?
......

Offline brianr

  • *
  • 991
  • +2/-0
Re: StartSSL Issue
« Reply #9 on: January 09, 2016, 01:06:23 PM »
the refresh task looked as though it needed scl-python27 from your command.

If that is not the case, then please accept my apologies.

Here is the command you posted:

Code: [Select]
scl enable python27 '/opt/letsencrypt-renew.sh'

Edit: aha - I see that may not be the bit you put in.  However to run the refresh you will need python2.7?
Brian j Read
(retired, for a second time, still got 2 installations though)
The instrument I am playing is my favourite Melodeon.
.........

Offline DanB35

  • *****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: StartSSL Issue
« Reply #10 on: January 09, 2016, 01:08:15 PM »
Ah, yes, I see why you'd think that.  The refresh task would be completely different with letsencrypt.sh, and I haven't written that up yet.
......

Offline brianr

  • *
  • 991
  • +2/-0
Re: StartSSL Issue
« Reply #11 on: January 09, 2016, 01:10:01 PM »
Ah, yes, I see why you'd think that.  The refresh task would be completely different with letsencrypt.sh, and I haven't written that up yet.

ok, I see - so we'd better take out my addition.  Perhaps a warning or something th that effect would be sensible?
Brian j Read
(retired, for a second time, still got 2 installations though)
The instrument I am playing is my favourite Melodeon.
.........

Offline DanB35

  • *****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: StartSSL Issue
« Reply #12 on: January 10, 2016, 01:15:51 AM »
I just put in a placeholder for renewal using letsencrypt.sh.  Probably won't get to actually writing it until Monday or Tuesday, but it should at least make clearer that the existing instructions only apply to using the official client.
......

Offline brianr

  • *
  • 991
  • +2/-0
Re: StartSSL Issue
« Reply #13 on: January 10, 2016, 09:10:23 AM »
I just put in a placeholder for renewal using letsencrypt.sh.  Probably won't get to actually writing it until Monday or Tuesday, but it should at least make clearer that the existing instructions only apply to using the official client.

thanks.
Brian j Read
(retired, for a second time, still got 2 installations though)
The instrument I am playing is my favourite Melodeon.
.........

Offline brianr

  • *
  • 991
  • +2/-0
Re: StartSSL Issue
« Reply #14 on: January 12, 2016, 10:52:14 AM »
I've tried this now on my 9.1 Server, but I got "Challenge invalid" from the primary domain when I tried to create the certs.

I can't find a description of what the package does to validate the domain. Does it need an A record pointing to the server?

I have Mx records pointing to it, but not A records, the server is on a dynamic IP address and uses a dyndns domain to track the IP address (mmm - perhaps that means it will never work?)

PS - perhaps I only need an internal Cert, so that the local PCs outlook etc work seamlessly.
« Last Edit: January 12, 2016, 11:24:39 AM by brianr »
Brian j Read
(retired, for a second time, still got 2 installations though)
The instrument I am playing is my favourite Melodeon.
.........

Offline DanB35

  • *****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: StartSSL Issue
« Reply #15 on: January 12, 2016, 11:16:28 AM »
I'm not certain exactly what type of DNS record would be required, but I believe it would be either an A or a CNAME record.  For each hostname for which you're seeking a cert, the ACME server tries to connect to http://$HOSTNAME/.well-known/acme-challenge/$LONGSTRING and ensure that file contains the correct contents.  $LONGSTRING and its contents both look random, but are in fact cryptographically generated somehow.
......

Offline brianr

  • *
  • 991
  • +2/-0
Re: StartSSL Issue
« Reply #16 on: January 12, 2016, 12:34:51 PM »
I'm not certain exactly what type of DNS record would be required, but I believe it would be either an A or a CNAME record.  For each hostname for which you're seeking a cert, the ACME server tries to connect to http://$HOSTNAME/.well-known/acme-challenge/$LONGSTRING and ensure that file contains the correct contents.  $LONGSTRING and its contents both look random, but are in fact cryptographically generated somehow.

aha - that is very useful, I'll see if I can arrange that!!
Brian j Read
(retired, for a second time, still got 2 installations though)
The instrument I am playing is my favourite Melodeon.
.........

Offline DanB35

  • *****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: StartSSL Issue
« Reply #17 on: January 13, 2016, 03:37:57 PM »
I've made some significant revisions to the letsencrypt.sh portions of the wiki page--the installation process is revised, and the renewal process is added.  It should work on SME 8.x as well as 9.x.

Edit:  There's also an RPM in development which will probably take away most of the manual work in this, but I don't know when we should expect to see it released.
« Last Edit: January 13, 2016, 03:54:55 PM by DanB35 »
......

Offline ReetP

  • *
  • 3,960
  • +6/-0
Re: StartSSL Issue
« Reply #18 on: January 13, 2016, 04:45:08 PM »
I've added some notes to the wiki on installing and using letsencrypt.sh.  No doubt it's rough at this point, but it should work on SME 8 as well as 9.  See http://wiki.contribs.org/Letsencrypt#Installation_of_Letsencrypt.sh

Dan,

could you add some notes about the contrib I am trying to build ?

For those interested see http://bugs.contribs.org/show_bug.cgi?id=8676

http://www.reetspetit.com/smeserver/6/repoview/smeserver-letsencrypt.html

http://wiki.contribs.org/User:ReetP

https://github.com/reetp/smeserver-letsencrypt/tree/smeserver-letsencrypt-0.1

We may get some help testing, and then everyone is using the same software :-)

Although this is technically built for v9 as far as I am aware it should build and run on v8 currently

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline DanB35

  • *****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: StartSSL Issue
« Reply #19 on: January 13, 2016, 06:34:42 PM »
could you add some notes about the contrib I am trying to build?
Glad to.  Would you like me to simply note that a contrib is under development, or link to the bug/repo page/something else?
......

Offline ReetP

  • *
  • 3,960
  • +6/-0
Re: StartSSL Issue
« Reply #20 on: January 13, 2016, 06:47:57 PM »
Glad to.  Would you like me to simply note that a contrib is under development, or link to the bug/repo page/something else?

Whatever you want - more the better I guess !

Would normally do it myself but would be grateful if you could take that off my hands right now...

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline DanB35

  • *****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: StartSSL Issue
« Reply #21 on: January 13, 2016, 07:22:20 PM »
I added a note under Introduction.
......

Offline ReetP

  • *
  • 3,960
  • +6/-0
Re: StartSSL Issue
« Reply #22 on: January 13, 2016, 08:03:47 PM »
I added a note under Introduction.

Thank you. All a bit messy here right now as you can imagine.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline DanB35

  • *****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: StartSSL Issue
« Reply #23 on: January 13, 2016, 08:29:26 PM »
Indeed.  I considered trying to document the contrib, but I thought it better to let it settle a bit first.  In the meantime, there's notice that there's one in progress, and pointers to more info.
......

Offline DanB35

  • *****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: StartSSL Issue
« Reply #24 on: January 16, 2016, 07:37:32 PM »
Update:  It turns out that letsencrypt.sh currently relies on a feature of sed that isn't present in SME 8.  Hopefully this will be resolved shortly, but until then, don't expect that the instructions on the wiki will work.  Check out the bug tracker for all the details.
......

Offline ReetP

  • *
  • 3,960
  • +6/-0
Re: StartSSL Issue
« Reply #25 on: January 16, 2016, 11:19:40 PM »
Update:  It turns out that letsencrypt.sh currently relies on a feature of sed that isn't present in SME 8.  Hopefully this will be resolved shortly, but until then, don't expect that the instructions on the wiki will work.  Check out the bug tracker for all the details.

Seems they have fixed it.

Just updating things now.

http://bugs.contribs.org/show_bug.cgi?id=8676
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline brianr

  • *
  • 991
  • +2/-0
Re: StartSSL Issue
« Reply #26 on: January 21, 2016, 05:23:59 PM »
I have started a bugzilla entry for the server panel to go with this.

http://bugs.contribs.org/show_bug.cgi?id=9196

All contributions gratefully accepted!
Brian j Read
(retired, for a second time, still got 2 installations though)
The instrument I am playing is my favourite Melodeon.
.........