Topic: SSL Certificate for different VirtualHost

[michelandre]

Hi all,

DanB35, I have no words to thank you enough.

Everything is working. I just have to check the script and I will be able to say: "Job done".

Again thank you all,

Michel-André

[DanB35]

Excellent, glad it worked out for you.

[michelandre]

Hi all,

*** In the contribs: https://wiki.contribs.org/Letsencrypt, there is a typo in the paragraphs: Generate the certificate on the SME Server & Generate the certificate on the internal server :   /home/e-smith/files/ibays/Primary/html/

*** Generate the certificate on the SME Server works OK.

*** I tried Generate the certificate on the internal server but it is quite hard to copy the hex name of the file and its content. I used PuTTy and I cannot copy it with [CTL-C] as it will stop the script. I tried with tee to have an output file but it doesn't capture the text completly.
- Somebody have a way to do it except copy hex by hex?

*** Backup I added --go-into opt and --go-into etc/letsencrypt and the new server didn't reboot properly after a restore. I will try again.

*** Maybe adding a note on REVOKE like:
./letsencrypt-auto  revoke  --cert-path  /etc/letsencrypt/live/yourdomain/cert.pem

*** Maybe adding a note about the limit of 5 certificates per 7 days.
I tried  2 times for the main server and a few times on the internal server and suddently I reached the limit. I will have to wait 7 days to continue.

-- https://community.letsencrypt.org/t/too-many-certificates-already-issued/6481/4

-- Perhaps you can experiment first by using the --server https://acme-staging.api.letsencrypt.org/directory option. That way you can try the client and receive certificates (which won't work online, 'cause they'll be signed by some "Happy hacker" CA in stead of Let's Encrypt Intermediate X1) and the staging server doesn't have such strict rate limits.
-- Testing Against the Let's Encrypt Staging Environment
We highly recommend testing against our staging environment before using our production environment. This will allow you to get things right before issuing trusted certificates and reduce the chance of your running up against rate limits. The ACME URL for our staging environment is: https://acme-staging.api.letsencrypt.org/directory If you're using the official Let's Encrypt client you can use the staging environment by including the following: --server https://acme-staging.api.letsencry...

*** In Prerequisites, maybe add something about the CNAME/Alias with "and DNS records are published for it". As a newbie I didn't catch it the first time.

Yesterday, Let's Encrypt were at more than 820K certificates with about 12K new one per day. Very good since it started only a few months ago.

letsentscrypt is one of the greatest contribs,

Michel-André

[DanB35]

*** In the contribs: https://wiki.contribs.org/Letsencrypt, there is a typo in the paragraphs: Generate the certificate on the SME Server & Generate the certificate on the internal server :   /home/e-smith/files/ibays/Primary/html/

I'll take a look at the wiki.  You realize, I hope, that those paragraphs relate to generating a cert for another server?  They aren't part of the "normal" use case for Let's Encrypt.

*** I tried Generate the certificate on the internal server but it is quite hard to copy the hex name of the file and its content. I used PuTTy and I cannot copy it with [CTL-C] as it will stop the script. I tried with tee to have an output file but it doesn't capture the text completly.
- Somebody have a way to do it except copy hex by hex?

IIRC, text is automatically copied in PuTTY when highlighted.  If not, there must be an edit menu with a Copy command.  I do recall that a right-click will paste.

*** Maybe adding a note on REVOKE like:
./letsencrypt-auto  revoke  --cert-path  /etc/letsencrypt/live/yourdomain/cert.pem

*** Maybe adding a note about the limit of 5 certificates per 7 days.

This is already there, in the Introduction section:

As of December 2015, the Letsencrypt service is in a public beta state. They issue valid, trusted certificates, but the client code (and, to a lesser extent, the server code) is likely in a state of flux. At least during the initial stages of the public beta, they're implementing rate-limiting, allowing no more than five certificates per domain in a rolling seven-day period.

*** In Prerequisites, maybe add something about the CNAME/Alias with "and DNS records are published for it". As a newbie I didn't catch it the first time.

I'm not sure I understand what you're saying here.  Let's Encrypt doesn't really care if the hostname has an A record or a CNAME record, as long as each hostname for which you're seeking a cert resolves to your SME server.

[michelandre]

Hi DanB35,

Thank you for your reply.

Very sorry that I didn't see the limits in the Introduction section.

** PuTTY
I found something and it is working: http://superuser.com/questions/85772/putty-how-to-select-text-and-copy-text-using-keyboard-only
After so many years using PuTTy I didn't know that and always used [Ctl-c]. Well, I learn every day...

PuTTY's copy and paste works entirely with the mouse. In order to copy text to the clipboard, you just click the left mouse button in the terminal window, and drag to select text. When you let go of the button, the text is automatically copied to the clipboard. You do not need to press Ctrl-C or Ctrl-Ins; in fact, if you do press Ctrl-C, PuTTY will send a Ctrl-C character down your session to the server where it will probably cause a process to be interrupted.

** CNAME
The internal server's name is test. At the registrar site I had to add the CNAME test pointing at @, www.test pointing at @ and mail.test also pointing at @. Things I didn't know. Again  I learn every day...

** Overcoming the limit
- Now I am adding the swith --staging which says that I am testing and the certificate will say from "Happy hacker fake CA".
- The switch --break-my-certs will renew the certificate invalidating the old one.

You've asked to renew/replace a seemingly valid certificate with a test certificate (domains: my.domain.one, my.domain.two, my.domain.three, my.domain.four). We will not do that unless you use the --break-my-certs flag!

There is a lot to learn from that contribs,

Michel-André

[michelandre]

Hi all,

I am trying to use all the commands in the Letsencrypt contrib. I am almost done.

There is one command I don't find.

or to be sure, a copy of the complete configuration database (a good practice before any action such as manual changing of db values or installing a contrib):

config show > "/root/db_configuration_backup_$(date +%Y%m%d_%H%M%S)"

How to restore this DB backup?

I googled around and found nothing except a lot of standard backup and restore and different way to do it. I tried cat, echo, pipe, <, etc.. to no avail.
It is a "good practice before..." so I would like to use it.

Maybe I missed something?

Any hint appreciated,

Michel-André
 

[DanB35]

There is no real way to restore from that backup--you'd need to manually read through it and set whatever config properties you needed.

[ReetP]

You could vaguely use something like this in extremis I think....

https://wiki.contribs.org/Backup_server_config

[DanB35]

I'll take a look at the wiki.  You realize, I hope, that those paragraphs relate to generating a cert for another server?  They aren't part of the "normal" use case for Let's Encrypt.

I fixed this.  On my server, though, /home/e-smith/files/primary is a symlink to /home/e-smith/files/ibays/Primary, so it would still work as stated.  Looks like that isn't always the case.

[michelandre]

Hi all,

I finished testing the client script letsencrypt.sh.
Very nice and easy to use. You can modify the needed files.

The main feature of this client script is that it does not require anything except the installation of git to download the files.

FOR TEST MODE to respect the 5/7 limits.
File /etc/letsencrypt.sh/config.sh // adding the line CA="https://acme-staging.api.letsencrypt.org/directory".

#!/bin/bash
# config.sh

CA="https://acme-staging.api.letsencrypt.org/directory"

WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
HOOK="/usr/local/bin/letsencrypt-hook.sh"
# E-mail to use during the registration (default: <unset>)
CONTACT_EMAIL="admin@toto.org"

For TEST mode WITHOUT installation of the certificate.
File letsencrypt-hook.sh // commenting all the /sbin/e-smith... line.

#!/bin/bash

if [ $1 = "deploy_cert" ]; then
  KEY=$3
  CERT=$4
  CHAIN=${5/fullchain.pem/chain.pem}
#
##  /sbin/e-smith/db configuration setprop modSSL key $KEY
##  /sbin/e-smith/db configuration setprop modSSL crt $CERT
##  /sbin/e-smith/db configuration setprop modSSL CertificateChainFile $CHAIN
##  /sbin/e-smith/signal-event domain-modify
##  /sbin/e-smith/signal-event email-update
##  /sbin/e-smith/signal-event ibay-modify
fi

cron job to be run every month even if certificate is STILL VALID.

Code: [Select]

letsencrypt.sh -cWil return

Code: [Select]

INFO: Using main config file /etc/letsencrypt.sh/config.sh
Processing www.toto.org with alternative names: toto.org server-name.toto.org... www.titi.info
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Jun  2 20:16:00 2016 GMT (Longer than 30 days). Skipping!

FORCING renew even if certificate is STILL VALID.

Code: [Select]

letsencrypt.sh -c --renew
SECURITY ISSUES
For the creation of the account key  // I have no problem with that.

...
# INFO: Using main config file /etc/letsencrypt.sh/config.sh
+ Generating account key...
+ Registering account key with letsencrypt...
...

For the creation of the CSR   // I have no problem with that.

...
 + Valid till Jun  2 20:16:00 2016 2016 GMT (Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
+ Generating signing request...
 + Requesting challenge for www.toto.org...
...

BUT WHO is creating the private key   //  I have a VERY BIG problem with that.

...
 + Signing domains...
 + Creating new directory /etc/letsencrypt.sh/certs/www.micronator.org ...
+ Generating private key.
+ Generating signing request...
 + Requesting challenge for www.micronator.org...
...

I remember seeing someone saying that there was a problem with Let's Encrypt. With that, now I know why.

With the official client, it is the user generating the CSR so it is much better.

Michel-André

[Daniel B.]

Can you explain where's the security issue is ? Of course a private key is needed. The script just generate it for you. You can run the same command manually if you want, but I see no difference

[michelandre]

Salut Daniel,

Thank you for correcting me.
You are absolutely right. it is the script that generate the private key.

Code: [Select]

  privkey="privkey.pem"
  # generate a new private key if we need or want one
  if [[ ! -r "${BASEDIR}/certs/${domain}/privkey.pem" ]] || [[ "${PRIVATE_KEY_RENEW}" = "yes" ]]; then
    echo " + Generating private key..."
    privkey="privkey-${timestamp}.pem"
    case "${KEY_ALGO}" in
      rsa) _openssl genrsa -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem" "${KEYSIZE}";;
      prime256v1|secp384r1) _openssl ecparam -genkey -name "${KEY_ALGO}" -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem";;
    esac
  fi
I apologize for my mistake. 

Then I have to say that the script client from Let's Encrypt is  safe to use.

Michel-André

[DanB35]

The only change I'd make to what you've posted is calling letsencrypt.sh -c out of cron.daily.  It will check your certs, and only renew them when they have less than 30 days (by default, or whatever value you specify in config.sh) left.

[michelandre]

Hi DanB35,

Thank you for your reply.

What I meant by "cron job to be run every month even if certificate is STILL VALID." was that if the certificate is still valid, il won't stop the script from running.

The way you wrote it better explains the meaning.

Checking the script:

Code: [Select]

    if [[ -e "${cert}" ]]; then
      echo " + Checking expire date of existing cert..."
      valid="$(openssl x509 -enddate -noout -in "${cert}" | cut -d= -f2- )"

      printf " + Valid till %s " "${valid}"
      if openssl x509 -checkend $((RENEW_DAYS * 86400)) -noout -in "${cert}"; then
        printf "(Longer than %d days). " "${RENEW_DAYS}"
        if [[ "${force_renew}" = "yes" ]]; then
          echo "Ignoring because renew was forced!"
        else
          echo "Skipping!"
          continue
        fi
      else
        echo "(Less than ${RENEW_DAYS} days). Renewing!"
      fi
    fi
I notice that the script doesn't communicates at all with the Let's Encrypt server for checking the expiring date.
It parses the certificate to find it then it calculates the days left etc...
I was under the impression that it was asking the Let's Encypt server for that.

Many things I learned today. I am still a newbee but on a lower level.

Thank you all,

Michel-André

[michelandre]

Hi all,

Finally, I finished testing letsencrypt.sh. 

- Test certificate - single/multiple domains: get certificate, renew, force renew, revoke, and automatic renew if necessary with a cron job
- Official certificate: same procédures.

If certificate is still valid for more than 30 days, after checking it, letsencrypt.sh will exit and never bother the Let's Encrypt servers; so my cron job runs every third day of every month at 02h15. It should not be a busy time for the Let's Encrypt servers.

I did a French documentation of my tests:
PDF: https://www.micronator.org/PDF/SME/RF-232_SME-9.1_LetsEncrypt/RF-232_SME-9.1_LetsEncrypt.sh.pdf
SHA-1: https://www.micronator.org/PDF/SME/RF-232_SME-9.1_LetsEncrypt/RF-232_SME-9.1_LetsEncrypt.sh_SHA-1.txt

Thank you all, without your help I would have not finished those tests,

Michel-André