Topic: StartSSL Issue

[nicolatiana]

Hi everybody

Has anyone recently tried to issue a free certificate with StartSSL ? The StartSSL control panel has been completely renewed and so the wiki explanations in the How-To section are no more consistent. Particularly I'm not able to identify which are ca.pem and sub.class1.server.ca.pem certificate chain files to be downloaded and merged to create the pem file for SME.

Nicola

[guest22]

Nicola,


did you see the new Letsencrypt wiki page and the discussion on bugzilla?

[DanB35]

http://wiki.contribs.org/Letsencrypt

[nicolatiana]

Many thanks RequestedDeletion: no I did not realize about it. I will make some test on it. I was in great hurry to give a solution from remote so i reverted back to local c.a. for next days.

Just a question: the letsencrypt stuff is SME8 compatible ?

Nicola

[DanB35]

As far as I know, all the testing of letsencrypt has been done with SME 9.  I'll see if I can spin up an SME 8.1 VM to test it a little bit.

[DanB35]

Never mind--the method described on the wiki page depends on software collections, which are only available on SME 9 64-bit.  There's quite a bit of discussion on http://bugs.contribs.org/show_bug.cgi?id=8676 about using a different script, which shouldn't have any SME 9 dependencies, but I'm not aware of any place where it's written up nicely at this point.

[DanB35]

I've added some notes to the wiki on installing and using letsencrypt.sh.  No doubt it's rough at this point, but it should work on SME 8 as well as 9.  See http://wiki.contribs.org/Letsencrypt#Installation_of_Letsencrypt.sh

[brianr]

I've added a comment to your section which points out that scl-python27 is also still required. Else anyone who uses your link to the section may not have seen the requirement.

[DanB35]

I don't believe that's correct--letsencrypt.sh doesn't use python at all, as I understand it.  According to its README file, its only dependencies are openssl, curl, sed, grep, and mktemp.  What indicates to you that any version of Python (particularly 2.7) is required?

[brianr]

the refresh task looked as though it needed scl-python27 from your command.

If that is not the case, then please accept my apologies.

Here is the command you posted:

Code: [Select]

scl enable python27 '/opt/letsencrypt-renew.sh'

Edit: aha - I see that may not be the bit you put in.  However to run the refresh you will need python2.7?

[DanB35]

Ah, yes, I see why you'd think that.  The refresh task would be completely different with letsencrypt.sh, and I haven't written that up yet.

[brianr]

Ah, yes, I see why you'd think that.  The refresh task would be completely different with letsencrypt.sh, and I haven't written that up yet.

ok, I see - so we'd better take out my addition.  Perhaps a warning or something th that effect would be sensible?

[DanB35]

I just put in a placeholder for renewal using letsencrypt.sh.  Probably won't get to actually writing it until Monday or Tuesday, but it should at least make clearer that the existing instructions only apply to using the official client.

[brianr]

I just put in a placeholder for renewal using letsencrypt.sh.  Probably won't get to actually writing it until Monday or Tuesday, but it should at least make clearer that the existing instructions only apply to using the official client.

thanks.

[brianr]

I've tried this now on my 9.1 Server, but I got "Challenge invalid" from the primary domain when I tried to create the certs.

I can't find a description of what the package does to validate the domain. Does it need an A record pointing to the server?

I have Mx records pointing to it, but not A records, the server is on a dynamic IP address and uses a dyndns domain to track the IP address (mmm - perhaps that means it will never work?)

PS - perhaps I only need an internal Cert, so that the local PCs outlook etc work seamlessly.