Topic: SSL Certificate for different VirtualHost

[michelandre]

Hi all,

I have more than one web site on my SME-9.1 server. Each in a different i-bay and I would like each of them to have a different SSL Certificate.
- Line 39-75 are original from my server (toto.org)
- Line 52-54 are the original file locations for my server SSL files (Certificate for toto.org)

According to:
     42 ##  All SSL configuration in this context applies both to
     43 ##  the main server and all SSL-enabled virtual hosts
     44 ##      (unless overridden by virtual hosts)
I can override for another VirtaulHost???

- Line 93-95 are the 3 lines I would like to add for the location files of the second certificate for the other web site: (Certificate for titi.org)

QUESTIONS:
1) Is that the proper way to do that?
2) I will have to signal something (post-ugrade and reboot). Is there another way without reboot?
3) What do I do with those 4 config setprop command?
# config setprop modSSL crt /home/e-smith/ssl.crt/my-server-name.toto.org.crt
# config setprop modSSL key /home/e-smith/ssl.key/my-server-name.toto.org.key
# config setprop modSSL CertificateChainFile  /home/e-smith/bundle.crt
# config setprop modSSL CommonName www.toto.org
4) What about the command for the email?
# signal-event domain-modify  ;  signal-event email-update

Than you,

Michel-André

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

From: https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm

Next, in the NameVirtualHost directive list your server's public IP address, *:443, or other port you're using for SSL (see example below).
Then point the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile to the locations of the certificate files for each website as shown below:

NameVirtualHost *:443
########################################################## this is like for toto.org  ???
<VirtualHost *:443>

 ServerName www.yoursite.com
 DocumentRoot /var/www/site
 SSLEngine on
 SSLCertificateFile /path/to/www_yoursite_com.crt
 SSLCertificateKeyFile /path/to/www_yoursite_com.key
 SSLCertificateChainFile /path/to/DigiCertCA.crt

</VirtualHost>

########################################################## this is like for titi.org   ???
<VirtualHost *:443>
 ServerName www.yoursite2.com
 DocumentRoot /var/www/site2
 SSLEngine on
 SSLCertificateFile /path/to/www_yoursite2_com.crt
 SSLCertificateKeyFile /path/to/www_yoursite2_com.key
 SSLCertificateChainFile /path/to/DigiCertCA.crt
 
</VirtualHost>

###############

My SME-9.1 server: /etc/httpd/conf/httpd.conf

     38 ...
     39 ########################################################## for toto.org (I don't change nothing)
     40 ##  SSL Global Context Configuration
     41 ##
     42 ##  All SSL configuration in this context applies both to
     43 ##  the main server and all SSL-enabled virtual hosts
     44 ##      (unless overridden by virtual hosts)
     45 ##
     46 <IfModule mod_ssl.c>
     47 Listen 0.0.0.0:443
     48
     49 SSLEngine off
     50 SSLProxyEngine On
     51
     52 SSLCertificateChainFile /home/e-smith/ssl.crt/bundle.crt
     53 SSLCertificateFile /home/e-smith/ssl.crt/my-server-name.toto.org.crt
     54 SSLCertificateKeyFile /home/e-smith/ssl.key/my-server-name.toto.org.key
     55
     56 SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
     57
     58 SSLPassPhraseDialog  builtin
     59
     60 SSLSessionCache         dbm:state/ssl_scache
     61
     62 SSLSessionCacheTimeout  300
     63 SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
     64
     65 SSLMutex  file:state/ssl_mutex
     66
     67 SSLRandomSeed startup file:/dev/urandom 512
     68 SSLRandomSeed connect builtin
     69
     70 #SSLLogLevel info
     71 SSLProtocol all -SSLv3
     72 </IfModule>
     73 #
     74 #       END OF SSL GLOBAL CONTEXT CONFIGURATION
     75 #############################################
     76 ...
     77
     78 ...
     79 ############################################# for titi.org
     80
     81 <VirtualHost 0.0.0.0:443>
     82
     83     ServerName titi.org
     84     ServerAlias my-server-name.titi.org  ftp.titi.org  mail.titi.org  proxy.titi.org  wpad.titi.org  www.titi.org
     85
     86     DocumentRoot         /home/e-smith/files/ibays/server-ibay/html
     87     ScriptAlias /cgi-bin /home/e-smith/files/ibays/server-ibay/cgi-bin
     88     Alias       /files   /home/e-smith/files/ibays/server-ibay/files
     89
     90     # SSL Directives
     91     SSLEngine on
     92 ########################################################## for titi.org (I add the 3 lines below)
     93     SSLCertificateChainFile /home/e-smith/ssl.crt/bundle.crt
     94     SSLCertificateFile /home/e-smith/ssl.crt/my-server-name.titi.org.crt
     95     SSLCertificateKeyFile /home/e-smith/ssl.key/my-server-name.titi.org.key
     96
     97     RewriteEngine on
     98     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
     99     RewriteRule .* - [F]
    100 ...
    101 </VirtualHost>
    102 #############################################

[warren]

Hi Michel-André

I dont think this is possible at present ( i see that a NFR was raised for it )

https://forums.contribs.org/index.php/topic,51285.msg260489.html#msg260489

NFR  https://bugs.contribs.org/show_bug.cgi?id=8693  and related  https://bugs.contribs.org/show_bug.cgi?id=5450  & https://bugs.contribs.org/show_bug.cgi?id=8185

[janet]

michelandre

AFAIUI you have to incorporate all your domains into the one certificate (ie when you first create or request a commercial certificate).
If you add a domain to your server, then you need to recreate teh certificate with teh additional domain.

There is work being done here
https://wiki.contribs.org/Letsencrypt
which I believe will allow addition of certificates/domains more easily
but this is still a work in progress

Also see
https://forums.contribs.org/index.php/topic,51285.msg260489.html#msg260489
and
https://forums.contribs.org/index.php/topic,50665.msg255758.html#msg255758

[michelandre]

Hi all,

- Thank you Warren.
I saw the page: https://wiki.contribs.org/Letsencrypt but it looked complicated. I prefer the free CAcert certificates. They are good for 6 months and they worked like a charm. It is possible to renew without a new CSR, just login, renew and install the new certificate for another 6 months with no need to reboot the server. It should be possible to script the new installation with the link sent with the renewall. I will look later at this.

- Thank you also Janet.

But again according to: https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm, it is possible by modifying the http.conf file.
Apache is Apache for all Linux, so it should work...

I restored my server in VirtualBox and made the NIC cards as HostOnly.

I can acces my second domain with no problem. The https gives the original certificate.

Now I modified the /etc/httpd/conf/httpd.conf file and added the 3 lines after the:

# SSL Directives
   SSLEngine on

   SSLCertificateChainFile /home/e-smith/ssl.crt/titi.chain.crt  ############# 1
   SSLCertificateFile /home/e-smith/ssl.crt/titi_pub.crt ################## 2
   SSLCertificateKeyFile amo.priv.key /home/e-smith/ssl.key/titi.priv.key ####### 3

To make them permanent, I tried with
# signal-event post-upgrade ; signal event-reboot
and the modifications are lost.

How can I make the 3 lines permanent???

- The link above gives another way: "Include my_other_site.conf"
- Then it should be possible to add a personnal template or something like it???

Thank you,

Michel-André

[janet]

michelandre

Re Letsencrypt, I recall reading that there is support for multiple certificates/domains, that's why I mentioned it, because that is what you were wanting.

....according to: https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm, it is possible by modifying the http.conf file. Apache is Apache for all Linux, so it should work...

As it is be default, SME server does not support what you want, but the links I gave you do refer to SNI, & Xavier gave some code.
So following the SNI concept should be possible.

Now I modified the /etc/httpd/conf/httpd.conf file and added the 3 lines after the:
# SSL Directives
........ 
To make them permanent, I tried with
# signal-event post-upgrade ; signal event-reboot
and the modifications are lost.

That is where you are going wrong, directly editing conf files is a no no on SME server as all changes will be lost upon reboot.
The recommended approach is to create a custom template, & your changes will be retained after a reconfigure & reboot.

Please see
https://wiki.contribs.org/Template_Tutorial
& more particularly
https://wiki.contribs.org/Template_Tutorial#httpd.conf

These are examples, so you will have to modify them to suit your needs, but the approach is the same & straight forward.

[michelandre]

Hi all,

Thank you again Janet.

I think I found the way following: http://howto.landure.fr/gnu-linux/debian-4-0-etch/creer-un-certificat-ssl-multi-domaines

It is possible to have a multi domain certificate. I followed what is in that link and I got a multi domain certificate. The main site is *.toto.org then titi.org, titi-1.org, titi-2.org etc. I also tried with a dynamic dns (titi.no-ip.com) that point to toto.org and it is also included in the certificate.

I tested all in my virtual host using HostOnly NIC. It gives a black lock in FireFox but if I look at the certificate, all the domains are included.

I will test on my live site in a few days to confirm it is working and I will try with toto.org for the main site without the "*".

The best forum, just a few hours and I am on the right track already. 

CAcert at http://www.cacert.org is the best CA... 

Thank you all

Michel-André

[janet]

michelandre

Please add your steps to the wiki or just post them here to the forum & someone from the Documentation team will make it into a wiki article

Thanks in advance, as many people would like this facility & the easy steps to implement it.

[michelandre]

Hi all,

For the main site: It works perfectly with Firefox, Chrome & IE . Green lock and certificate id OK but the certificate displays *toto.org

Other domains: Google Chrome: (net::ERR_CERT_COMMON_NAME_INVALID), problem related to the chain (I will regenerate the chain next time.)
Other domains: IE, Red bar across the full URL field.

I think it will work for toto.org, titi.toto.org, titi-1.toto.org. If all are sub-domain???
I did the CSR with *toto.org

I tried to generate the CSR with www.toto.org and I was still able to add the other domains in the request.

I will try again in 1 or 2 days.

Michel-André 

[michelandre]

Hi all,

After many trials and errors, I definitely need "Server Name Indication" (SNI) wich is beyond my capacities.

Here is the command to generate a multi-domains CSR to submit at http://www.cacert.org
REFERENCE: http://howto.landure.fr/gnu-linux/debian-4-0-etch/creer-un-certificat-ssl-multi-domaines

Create a directory and cd into it.

# wget http://howto.landure.fr/gnu-linux/debian-4-0-etch/creer-un-certificat-ssl-multi-domaines/ca_openssl.cnf

# wget http://howto.landure.fr/gnu-linux/debian-4-0-etch/creer-un-certificat-ssl-multi-domaines/cert_manager.sh

# chmod +x cert_manager.sh

# ./cert_manager.sh --init
##### Enter your data

# ./cert_manager.sh --generate-csr="www.toto.org"
You will now be asked to give informations for your certificate authority.
Description du domaine [défaut : Toto-corp]: [ENTER]
Type de serveur [défault : HTTP server]: HTTPS server
Code de votre pays [défaut : CA]: [ENTER]
Nom de votre région [défaut : QC]: [ENTER]
Nom de votre ville [défaut : Montreal]: [ENTER]
Email de l'administrateur [défaut : toto@toto.org]: [ENTER]
Nom de votre domaine [défaut : www.toto.org]: [ENTER]
Noms de domaines supplémentaires, un par ligne. Finissez par une ligne vide.
SubjectAltName: DNS: titi-1.toto.org
SubjectAltName: DNS: titi-2.toto.org
SubjectAltName: DNS: [ENTER]
Generating a 2048 bit RSA private key
..................................................................+++
..........................................+++
writing new private key to './PRIVATE_KEYS/www.toto.org_key.pem'
-----
-----BEGIN CERTIFICATE REQUEST-----
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
...
ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
-----END CERTIFICATE REQUEST-----

This should work if all the secondary domains are sub-dommains of toto.org

Thank you all,

Michel-André

PS:
I want to test my setup.
Anyone interested in CAcert can get a PDF howto for SME server.
https://www.micronator.org/?product=sme-9-x-certificat-ssl-de-cacert

- Free of charge until end of April 2016 if you pay with Stripe using the credit card below.

Numéro de la carte *: 4242424242424242
Date d'expiration (MM/AA) *: any date in the future
Pictogramme *: 123

[DanB35]

After many trials and errors, I definitely need "Server Name Indication" (SNI) wich is beyond my capacities.

Why do you need SNI?  What in particular needs separate certificates for different hosts?  You can have any number of hostnames on a single cert using SAN, and they don't have to be under the same domain (I have 10 hostnames across 3 different domains on one cert using Letsencrypt).

[michelandre]

Hi all,

Thank you DanB35 for your answer.

According to: https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

While Apache can renegotiate the SSL connection later after seeing the hostname in the request (and does), that's too late to pick the right server certificate to use to match the request hostname during the initial handshake, resulting in browser warnings/errors about certificates having the wrong hostname in them.
 

That is exactly the result I have after I generated a CSR with different domain names. The CSR got generated and signed by CAcert without error or warning . Yes all domains are working with Firefox but not with Chrome or IE for the other domains.

Comment by Janet:

As it is be default, SME server does not support what you want, but the links I gave you do refer to SNI, & Xavier gave some code.
So following the SNI concept should be possible.

Also: https://bugs.contribs.org/show_bug.cgi?id=8693
Bug 8693 - moving SSL httpd certificate to virtual host and allow multiple certificates

the purpose is to allow individual SSL certificates for each domain as a Virtualhost basis for httpd.
Default certificate could be available for Primary domain and virtualhost without any dedicated certificate and SSL activated.
Specific certificate path could be defined in db domains and if defined overrules default certificate.

All other services will keep using the default certificate.

to do :
- modify current httpd fragment and move certificate info to Virtualhost folder.

I tried the custom template but to no avail. Maybe I am doing it the wrong way as this is the first time I play with custom template.

(I have 10 hostnames across 3 different domains on one cert using Letsencrypt).

Question:
- How you did that?
- You tried with Chrome and IE?
- I have only 1 hostname and 3 different domains. Did you add something in /etc/hosts with a custom template?
- Are you using completely separate domain names or are they sub-domains?
- All in only one server and only one IP address?

Seeing Is Believing. Can you post the URL so I will see for myself.

Thank you,

Michel-André

[DanB35]

I haven't tried with IE (I use a Mac), but it works just fine with Chrome.  You can check it out on www.familybrown.org, www.brownlawoffice.us, and www.interociter-enterprises.com.  I used Let's Encrypt, following the instructions on the wiki.  Both the official client and letsencrypt.sh work, though I think the letsencrypt.sh is simpler at this point.

[michelandre]

Hi all,

Thank you so much DanB35,

You are giving me hope. 

What version of SME are you using?

Can you give me the URL of the wiki please?

Again, thank you for giving me hope,

Michel-André

[DanB35]

I'm using SME 9.1.  Janet already gave the address of the wiki page above.

[ReetP]

You can still get the source for the contrib here:

https://github.com/reetp/smeserver-letsencrypt/tree/smeserver-letsencrypt-0.1

It is easy to compile

[michelandre]

Hi all,

DanB35, I have no words to thank you enough.

Everything is working. I just have to check the script and I will be able to say: "Job done".

Again thank you all,

Michel-André

[DanB35]

Excellent, glad it worked out for you.

[michelandre]

Hi all,

*** In the contribs: https://wiki.contribs.org/Letsencrypt, there is a typo in the paragraphs: Generate the certificate on the SME Server & Generate the certificate on the internal server :   /home/e-smith/files/ibays/Primary/html/

*** Generate the certificate on the SME Server works OK.

*** I tried Generate the certificate on the internal server but it is quite hard to copy the hex name of the file and its content. I used PuTTy and I cannot copy it with [CTL-C] as it will stop the script. I tried with tee to have an output file but it doesn't capture the text completly.
- Somebody have a way to do it except copy hex by hex?

*** Backup I added --go-into opt and --go-into etc/letsencrypt and the new server didn't reboot properly after a restore. I will try again.

*** Maybe adding a note on REVOKE like:
./letsencrypt-auto  revoke  --cert-path  /etc/letsencrypt/live/yourdomain/cert.pem

*** Maybe adding a note about the limit of 5 certificates per 7 days.
I tried  2 times for the main server and a few times on the internal server and suddently I reached the limit. I will have to wait 7 days to continue.

-- https://community.letsencrypt.org/t/too-many-certificates-already-issued/6481/4

-- Perhaps you can experiment first by using the --server https://acme-staging.api.letsencrypt.org/directory option. That way you can try the client and receive certificates (which won't work online, 'cause they'll be signed by some "Happy hacker" CA in stead of Let's Encrypt Intermediate X1) and the staging server doesn't have such strict rate limits.
-- Testing Against the Let's Encrypt Staging Environment
We highly recommend testing against our staging environment before using our production environment. This will allow you to get things right before issuing trusted certificates and reduce the chance of your running up against rate limits. The ACME URL for our staging environment is: https://acme-staging.api.letsencrypt.org/directory If you're using the official Let's Encrypt client you can use the staging environment by including the following: --server https://acme-staging.api.letsencry...

*** In Prerequisites, maybe add something about the CNAME/Alias with "and DNS records are published for it". As a newbie I didn't catch it the first time.

Yesterday, Let's Encrypt were at more than 820K certificates with about 12K new one per day. Very good since it started only a few months ago.

letsentscrypt is one of the greatest contribs,

Michel-André

[DanB35]

*** In the contribs: https://wiki.contribs.org/Letsencrypt, there is a typo in the paragraphs: Generate the certificate on the SME Server & Generate the certificate on the internal server :   /home/e-smith/files/ibays/Primary/html/

I'll take a look at the wiki.  You realize, I hope, that those paragraphs relate to generating a cert for another server?  They aren't part of the "normal" use case for Let's Encrypt.

*** I tried Generate the certificate on the internal server but it is quite hard to copy the hex name of the file and its content. I used PuTTy and I cannot copy it with [CTL-C] as it will stop the script. I tried with tee to have an output file but it doesn't capture the text completly.
- Somebody have a way to do it except copy hex by hex?

IIRC, text is automatically copied in PuTTY when highlighted.  If not, there must be an edit menu with a Copy command.  I do recall that a right-click will paste.

*** Maybe adding a note on REVOKE like:
./letsencrypt-auto  revoke  --cert-path  /etc/letsencrypt/live/yourdomain/cert.pem

*** Maybe adding a note about the limit of 5 certificates per 7 days.

This is already there, in the Introduction section:

As of December 2015, the Letsencrypt service is in a public beta state. They issue valid, trusted certificates, but the client code (and, to a lesser extent, the server code) is likely in a state of flux. At least during the initial stages of the public beta, they're implementing rate-limiting, allowing no more than five certificates per domain in a rolling seven-day period.

*** In Prerequisites, maybe add something about the CNAME/Alias with "and DNS records are published for it". As a newbie I didn't catch it the first time.

I'm not sure I understand what you're saying here.  Let's Encrypt doesn't really care if the hostname has an A record or a CNAME record, as long as each hostname for which you're seeking a cert resolves to your SME server.

[michelandre]

Hi DanB35,

Thank you for your reply.

Very sorry that I didn't see the limits in the Introduction section.

** PuTTY
I found something and it is working: http://superuser.com/questions/85772/putty-how-to-select-text-and-copy-text-using-keyboard-only
After so many years using PuTTy I didn't know that and always used [Ctl-c]. Well, I learn every day...

PuTTY's copy and paste works entirely with the mouse. In order to copy text to the clipboard, you just click the left mouse button in the terminal window, and drag to select text. When you let go of the button, the text is automatically copied to the clipboard. You do not need to press Ctrl-C or Ctrl-Ins; in fact, if you do press Ctrl-C, PuTTY will send a Ctrl-C character down your session to the server where it will probably cause a process to be interrupted.

** CNAME
The internal server's name is test. At the registrar site I had to add the CNAME test pointing at @, www.test pointing at @ and mail.test also pointing at @. Things I didn't know. Again  I learn every day...

** Overcoming the limit
- Now I am adding the swith --staging which says that I am testing and the certificate will say from "Happy hacker fake CA".
- The switch --break-my-certs will renew the certificate invalidating the old one.

You've asked to renew/replace a seemingly valid certificate with a test certificate (domains: my.domain.one, my.domain.two, my.domain.three, my.domain.four). We will not do that unless you use the --break-my-certs flag!

There is a lot to learn from that contribs,

Michel-André

[michelandre]

Hi all,

I am trying to use all the commands in the Letsencrypt contrib. I am almost done.

There is one command I don't find.

or to be sure, a copy of the complete configuration database (a good practice before any action such as manual changing of db values or installing a contrib):

config show > "/root/db_configuration_backup_$(date +%Y%m%d_%H%M%S)"

How to restore this DB backup?

I googled around and found nothing except a lot of standard backup and restore and different way to do it. I tried cat, echo, pipe, <, etc.. to no avail.
It is a "good practice before..." so I would like to use it.

Maybe I missed something?

Any hint appreciated,

Michel-André
 

[DanB35]

There is no real way to restore from that backup--you'd need to manually read through it and set whatever config properties you needed.

[ReetP]

You could vaguely use something like this in extremis I think....

https://wiki.contribs.org/Backup_server_config

[DanB35]

I'll take a look at the wiki.  You realize, I hope, that those paragraphs relate to generating a cert for another server?  They aren't part of the "normal" use case for Let's Encrypt.

I fixed this.  On my server, though, /home/e-smith/files/primary is a symlink to /home/e-smith/files/ibays/Primary, so it would still work as stated.  Looks like that isn't always the case.

[michelandre]

Hi all,

I finished testing the client script letsencrypt.sh.
Very nice and easy to use. You can modify the needed files.

The main feature of this client script is that it does not require anything except the installation of git to download the files.

FOR TEST MODE to respect the 5/7 limits.
File /etc/letsencrypt.sh/config.sh // adding the line CA="https://acme-staging.api.letsencrypt.org/directory".

#!/bin/bash
# config.sh

CA="https://acme-staging.api.letsencrypt.org/directory"

WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
HOOK="/usr/local/bin/letsencrypt-hook.sh"
# E-mail to use during the registration (default: <unset>)
CONTACT_EMAIL="admin@toto.org"

For TEST mode WITHOUT installation of the certificate.
File letsencrypt-hook.sh // commenting all the /sbin/e-smith... line.

#!/bin/bash

if [ $1 = "deploy_cert" ]; then
  KEY=$3
  CERT=$4
  CHAIN=${5/fullchain.pem/chain.pem}
#
##  /sbin/e-smith/db configuration setprop modSSL key $KEY
##  /sbin/e-smith/db configuration setprop modSSL crt $CERT
##  /sbin/e-smith/db configuration setprop modSSL CertificateChainFile $CHAIN
##  /sbin/e-smith/signal-event domain-modify
##  /sbin/e-smith/signal-event email-update
##  /sbin/e-smith/signal-event ibay-modify
fi

cron job to be run every month even if certificate is STILL VALID.

Code: [Select]

letsencrypt.sh -cWil return

Code: [Select]

INFO: Using main config file /etc/letsencrypt.sh/config.sh
Processing www.toto.org with alternative names: toto.org server-name.toto.org... www.titi.info
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Jun  2 20:16:00 2016 GMT (Longer than 30 days). Skipping!

FORCING renew even if certificate is STILL VALID.

Code: [Select]

letsencrypt.sh -c --renew
SECURITY ISSUES
For the creation of the account key  // I have no problem with that.

...
# INFO: Using main config file /etc/letsencrypt.sh/config.sh
+ Generating account key...
+ Registering account key with letsencrypt...
...

For the creation of the CSR   // I have no problem with that.

...
 + Valid till Jun  2 20:16:00 2016 2016 GMT (Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
+ Generating signing request...
 + Requesting challenge for www.toto.org...
...

BUT WHO is creating the private key   //  I have a VERY BIG problem with that.

...
 + Signing domains...
 + Creating new directory /etc/letsencrypt.sh/certs/www.micronator.org ...
+ Generating private key.
+ Generating signing request...
 + Requesting challenge for www.micronator.org...
...

I remember seeing someone saying that there was a problem with Let's Encrypt. With that, now I know why.

With the official client, it is the user generating the CSR so it is much better.

Michel-André

[Daniel B.]

Can you explain where's the security issue is ? Of course a private key is needed. The script just generate it for you. You can run the same command manually if you want, but I see no difference

[michelandre]

Salut Daniel,

Thank you for correcting me.
You are absolutely right. it is the script that generate the private key.

Code: [Select]

  privkey="privkey.pem"
  # generate a new private key if we need or want one
  if [[ ! -r "${BASEDIR}/certs/${domain}/privkey.pem" ]] || [[ "${PRIVATE_KEY_RENEW}" = "yes" ]]; then
    echo " + Generating private key..."
    privkey="privkey-${timestamp}.pem"
    case "${KEY_ALGO}" in
      rsa) _openssl genrsa -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem" "${KEYSIZE}";;
      prime256v1|secp384r1) _openssl ecparam -genkey -name "${KEY_ALGO}" -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem";;
    esac
  fi
I apologize for my mistake. 

Then I have to say that the script client from Let's Encrypt is  safe to use.

Michel-André

[DanB35]

The only change I'd make to what you've posted is calling letsencrypt.sh -c out of cron.daily.  It will check your certs, and only renew them when they have less than 30 days (by default, or whatever value you specify in config.sh) left.

[michelandre]

Hi DanB35,

Thank you for your reply.

What I meant by "cron job to be run every month even if certificate is STILL VALID." was that if the certificate is still valid, il won't stop the script from running.

The way you wrote it better explains the meaning.

Checking the script:

Code: [Select]

    if [[ -e "${cert}" ]]; then
      echo " + Checking expire date of existing cert..."
      valid="$(openssl x509 -enddate -noout -in "${cert}" | cut -d= -f2- )"

      printf " + Valid till %s " "${valid}"
      if openssl x509 -checkend $((RENEW_DAYS * 86400)) -noout -in "${cert}"; then
        printf "(Longer than %d days). " "${RENEW_DAYS}"
        if [[ "${force_renew}" = "yes" ]]; then
          echo "Ignoring because renew was forced!"
        else
          echo "Skipping!"
          continue
        fi
      else
        echo "(Less than ${RENEW_DAYS} days). Renewing!"
      fi
    fi
I notice that the script doesn't communicates at all with the Let's Encrypt server for checking the expiring date.
It parses the certificate to find it then it calculates the days left etc...
I was under the impression that it was asking the Let's Encypt server for that.

Many things I learned today. I am still a newbee but on a lower level.

Thank you all,

Michel-André

[michelandre]

Hi all,

Finally, I finished testing letsencrypt.sh. 

- Test certificate - single/multiple domains: get certificate, renew, force renew, revoke, and automatic renew if necessary with a cron job
- Official certificate: same procédures.

If certificate is still valid for more than 30 days, after checking it, letsencrypt.sh will exit and never bother the Let's Encrypt servers; so my cron job runs every third day of every month at 02h15. It should not be a busy time for the Let's Encrypt servers.

I did a French documentation of my tests:
PDF: https://www.micronator.org/PDF/SME/RF-232_SME-9.1_LetsEncrypt/RF-232_SME-9.1_LetsEncrypt.sh.pdf
SHA-1: https://www.micronator.org/PDF/SME/RF-232_SME-9.1_LetsEncrypt/RF-232_SME-9.1_LetsEncrypt.sh_SHA-1.txt

Thank you all, without your help I would have not finished those tests,

Michel-André

[DanB35]

If certificate is still valid for more than 30 days, after checking it, letsencrypt.sh will exit and never bother the Let's Encrypt servers; so my cron job runs every third day of every month at 02h15. It should not be a busy time for the Let's Encrypt servers.

I'd still suggest running the cron job more often (like daily).  With it running once a month, there's only one chance for it to run and renew your certs, and if it encounters any problems while doing that, the next run won't be until the cert is already expired.  And depending on exactly how the dates/times interact, the renewal might not run at all before the cert expires.

Here's an example of that:  Suppose your cert expires on 2 Aug at 02:30.  When your cron job runs at 3 Jul at 02:15, the cert still has more than 30 days left (by 15 minutes), so letsencrypt.sh doesn't renew it.  Your cert expires on 2 Aug, and letsencrypt.sh doesn't run again until 3 Aug to renew it.  One day without a valid cert probably isn't a terrible thing, but there's no reason for it to happen.

As you've determined, the expiration check happens locally; it never hits the LE servers to do that.  So there's no real reason not to call letsencrypt.sh -c more often.

[michelandre]

Hi all,

DanB35, thank you very much to point this fact.

In the situation you mentioned, on july 3rd at 02h30 the certificate will be still valid for 30 days. At 02h15 it will be valid for more than 30. If the program which calculates the number of days didn't rounded or cut the result, then it will be 30.xxx which is longer than 30 and renewal won't take place. This really demonstrates a programming "side effect".

I will do as you suggested and run the cron job daily.

Thank you again,

Michel-André

[DanB35]

Since you've taken the time to write it up in French, would you mind adding it to the wiki?

[Stefano]

Michel-André

your documentation work is appreciated, but we all prefer you to collaborate in the wiki.

thank you

[davidS]

Hi all,

Finally, I finished testing letsencrypt.sh. 

- Test certificate - single/multiple domains: get certificate, renew, force renew, revoke, and automatic renew if necessary with a cron job
- Official certificate: same procédures.

If certificate is still valid for more than 30 days, after checking it, letsencrypt.sh will exit and never bother the Let's Encrypt servers; so my cron job runs every third day of every month at 02h15. It should not be a busy time for the Let's Encrypt servers.

I did a French documentation of my tests:
PDF: https://www.micronator.org/PDF/SME/RF-232_SME-9.1_LetsEncrypt/RF-232_SME-9.1_LetsEncrypt.sh.pdf
SHA-1: https://www.micronator.org/PDF/SME/RF-232_SME-9.1_LetsEncrypt/RF-232_SME-9.1_LetsEncrypt.sh_SHA-1.txt

Thank you all, without your help I would have not finished those tests,

Michel-André

hello everyone
it is a great job what you have done .
is there anyone who could translate it to english so i can to enjoy this wonderful work please.
thank you

[DanB35]

There's a pretty thorough English write-up at https://wiki.contribs.org/Letsencrypt I recommend the letsencrypt.sh method.

[Edited by pfloor to correct link]

[michelandre]

Hi all,

DanB35: Since you've taken the time to write it up in French, would you mind adding it to the wiki?

Stefano: your documentation work is appreciated, but we all prefer you to collaborate in the wiki.

I finally updated my documentation on MediaWiki and created a virtual machine to test it. I exported the original Let's Encrypt LibreOffice .odt file to mediawiki format and copied it into a wiki page. I cut all the references to images and the long test mode explanations. I finally learned how to write a wiki page.

My Let's Encrypt howto page in mediawiki text is now at: https://www.micronator.org/PDF/SME/RF-232_SME-9.1_LetsEncrypt/LetsEncrypt_MINIMUM_MediaWiki_2016-05-12_18h17.txt.

The full PDF is at: https://www.micronator.org/PDF/SME/RF-232_SME-9.1_LetsEncrypt/RF-232_SME-9.1_LetsEncrypt.sh.pdf.

If someone can test it and put it somewhere, it will be appreciated,

Michel-André

[guest22]

Deleted.