Topic: certificat de sécurité

[ecureuil]

le problème, je ne sais plus faire pour testing ou epel

y-a 10/12 ans que je n'ai pas fait. Tout perdu, ma tête est une passoire

[ecureuil]

trouvé

# yum update smeserver-letsencrypt dehydrated --enablerepo=smetest
...
Mise à jour:
 dehydrated                                                                             noarch                                                                  0.6.5-1.el6                                                                   smetest                                                                   85 k
 smeserver-letsencrypt                                                                  noarch                                                                  0.5-11                                                                        smetest                                                                   36 k

pour l'instant pas fait

[ecureuil]

# yum update  dehydrated --enablerepo=smetest

# config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=2
    configure=none
    email=admin@domain.com
    hookScript=disabled
    status=test
[root@tux letsencrypt]# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
+ Fetching account ID...
Processing domain.com with alternative names: mail.domain.com www.domain.com www2.domain.com
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 4 authorizations URLs from the CA
 + Handling authorization for domain.com
 + Handling authorization for mail.domain.com
 + Handling authorization for www.domain.com
 + Handling authorization for www2.domain.com
 + 4 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for domain.com authorization...
 + Challenge is valid!
 + Responding to challenge for mail.domain.com authorization...
 + Challenge is valid!
 + Responding to challenge for www.domain.com authorization...
 + Challenge is valid!
 + Responding to challenge for www2.domain.com authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!

Je pense que c'est ok

[ecureuil]

# config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=2
    configure=none
    email=admin@domain.com
    hookScript=disabled
    status=test

# cat /etc/dehydrated/config
#!/bin/bash
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
CA="https://acme-staging-v02.api.letsencrypt.org/directory"

PARAM_ACCEPT_TERMS="yes"

# config setprop letsencrypt status enabled
# signal-event console-save
# cat /etc/dehydrated/config
#!/bin/bash
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
CA="https://acme-v02.api.letsencrypt.org/directory"
BASEDIR="/etc/dehydrated"
CONTACT_EMAIL=admin@domain.com
HOOK="/usr/bin/hook-script.sh"
API="2"

PARAM_ACCEPT_TERMS="yes"

J'ai fait
# yum update  smeserver-letsencrypt --enablerepo=smetest

J'ai remis en test juste pour tester

#  config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=2
    configure=none
    email=admin@domain.com
    hookScript=disabled
    status=test

# cat /etc/dehydrated/config
#!/bin/bash
CA="https://acme-staging-v02.api.letsencrypt.org/directory"
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
HOOK="/usr/bin/hook-script.sh"
BASEDIR="/etc/dehydrated"
CONTACT_EMAIL=admin@domain.com
API="2"

PARAM_ACCEPT_TERMS="yes"

C'est ok

Je remets en enabled

# config setprop letsencrypt status enabled

#  config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=2
    configure=none
    email=admin@domain.com
    hookScript=disabled
    status=enabled

# cat /etc/dehydrated/config
#!/bin/bash
CA="https://acme-staging-v02.api.letsencrypt.org/directory"
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
HOOK="/usr/bin/hook-script.sh"
BASEDIR="/etc/dehydrated"
CONTACT_EMAIL=admin@domain.com
API="2"

PARAM_ACCEPT_TERMS="yes"

# dehydrated -c -x
# INFO: Using main config file /etc/dehydrated/config
Processing domain.com with alternative names: mail.domain.com www.domain.com www2.domain.com
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till May 16 15:38:14 2020 GMT (Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 4 authorizations URLs from the CA
 + Handling authorization for domain.com
 + Handling authorization for mail.domain.com
 + Handling authorization for www.domain.com
 + Handling authorization for www2.domain.com
 + 4 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for domain.com authorization...
 + Challenge is valid!
 + Responding to challenge for mail.domain.com authorization...
 + Challenge is valid!
 + Responding to challenge for www.domain.com authorization...
 + Challenge is valid!
 + Responding to challenge for www2.domain.com authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
Set up modSSL db keys
Signal events
All complete
 + Done!

Y-a plus qu'à passer de testing en contribs...

merci pour le travail
Anne

[ecureuil]

suite

Je suis retournée sur mon server-manager

Connexion bloquée : problème de sécurité potentiel
Firefox a détecté une menace potentielle de sécurité et a interrompu le chargement de www.domain.com, car ce site web nécessite une connexion sécurisée.
Que pouvez-vous faire ?
Le problème vient probablement du site web, donc vous ne pouvez pas y remédier.
Si vous naviguez sur un réseau d’entreprise ou si vous utilisez un antivirus, vous pouvez contacter les équipes d’assistance pour obtenir de l’aide. Vous pouvez également signaler le problème aux personnes qui administrent le site web.

Que se passe-t-il?

Anne

[ReetP]

Probably because of the server name/ip address.

www.myserver.com/server-manager probably resolves LOCALLY to 192.168.x.x but the cert is for an 'external' ip.

You cannot generate a certificate for a 'local/private' ip address because it doesn't resolve globally.

How does "www.mydomain.com" look when accessed from the internet in general?

[ecureuil]

coucou

3w point linux-nuts point com

cela donne quoi.

et pour

www2 point linux-nuts point com

Anne

[ReetP]

www dot linux-nuts dot com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER

Certificates have not been deployed correctly but no idea why.

[TerryF]

y-a 10/12 ans que je n'ai pas fait. Tout perdu, ma tête est une passoire

Mate, excuse the english, you are not the only one

[ecureuil]

# cat /etc/dehydrated/config
#!/bin/bash
CA="https://acme-v02.api.letsencrypt.org/directory"
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
HOOK="/usr/bin/hook-script.sh"
BASEDIR="/etc/dehydrated"
CONTACT_EMAIL=admin@domain.com
API="2"

PARAM_ACCEPT_TERMS="yes"

# config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=2
    configure=none
    email=admin@domain.com
    hookScript=disabled
    status=enabled

configure=none => il faut peut-être configurer?

[ReetP]

Code: [Select]

config show modSSL

[ecureuil]

# config show modSSL
modSSL=service
    CertificateChainFile=/etc/dehydrated/certs/linux-nuts.com/chain.pem
    TCPPort=443
    access=public
    crt=/etc/dehydrated/certs/linux-nuts.com/cert.pem
    key=/etc/dehydrated/certs/linux-nuts.com/privkey.pem
    status=enabled

[ecureuil]

Certificates have not been deployed correctly but no idea why.

J'aimerais bien un nouvel essai

Anne

[ReetP]

I don't think you followed the wiki correctly.

https://wiki.contribs.org/Letsencrypt#Enable_Test_Mode

config setprop letsencrypt status test
signal-event console-save

dehydrated -c

If that is OK then go to Production mode

https://wiki.contribs.org/Letsencrypt#Enable_Production_Mode

Once you've successfully tested your installation, set it to production mode using these commands:

config setprop letsencrypt status enabled
signal-event console-save

Then obtain a new certificate from the Let's Encrypt production server:

dehydrated -c -x

The -x flag here is needed to force dehydrated to obtain a new certificate, even though you have an existing certificate that's valid for more than 30 days.

==========

I do not believe you have run dehydrated -c -x properly.

[ecureuil]

j'avais
# config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=2
    configure=none
    email=admin@domain.com
    hookScript=disabled
    status=enabled

Tous les exemples avaiient  configure=none

J'ai remplacé  configure=none par  configure=domains

Et j'ai l'impression que plus de soucis