Koozali.org: home of the SME Server

let's encrypt question

Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
Re: let's encrypt question
« Reply #30 on: January 16, 2023, 02:21:55 AM »
Also assuming this will work with SME 10 right?


Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: let's encrypt question
« Reply #31 on: January 16, 2023, 07:44:39 AM »
Understood thanks will this interfere with my lets encrypt certificate for my other domain since it is going to be on the same server?

I suggested zerossl.com (there's also sslforfree.com) only for the sme10 behind your main sme10, because it only requires email verification. For the main one you can keep letsencrypt contrib running without customizations.
« Last Edit: January 16, 2023, 07:53:25 AM by bunkobugsy »

Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
Re: let's encrypt question
« Reply #32 on: January 16, 2023, 10:46:05 PM »
Sounds good thank you for your help on this. Last question so the security certificate for email verification requires that it is sent to admin@brendasgetzlaw.com however I don't have email set up for that domain on the server is there a way to make an email account for the alternate domain on the server?

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: let's encrypt question
« Reply #33 on: January 16, 2023, 11:47:48 PM »
With all respect, Looking at your answer, I would rather think, you did not understood the content of this wiki page and the manipulation you are about to try is too advanced for your.

I would suggest you to keep your server usage as simple as possible, as the more layer you add the more possible issue you will encounter and the less likely you will be able to solve the issue.

start checking what returns

/sbin/e-smith/audittools/templates

check if any .htaccess file in your Primary/html  and in the ibay of the domain you fail to get the cert with let’s encrypt


also give the output of
ll -d /home/e-smith/files/ibays/Primary/html/.well-known
ll -d /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: let's encrypt question
« Reply #34 on: January 17, 2023, 12:06:20 AM »
Last question....

It won't be because you still haven't grasped your situation and tried to understand it. You just lurch from one guess to another.

3 pages on.

The classic XY info. Read that page again.

Still never really described your situation clearly and concisely. So you get bits of answers to bits of questions which you don't actually understand and make no effort to learn.

You say your servers are on the same network but have public IPs and are totally separate.

Ah right. Makes perfect sense.

You don't understand your SME, DNS, email and how they work together.

We don't even know exactly what software version is running your IceCast server. SME? Something else? Local & remote IPs for each box?

At a guess you read a load of guff clickbait wikis unrelated to SME (the tell - we don't use sudo on SME normally, and we use 'dehydrated') in an effort to do something you didn't understand, probably made a load of changes you didn't know how to revert, and now hope by telling the bits of the story you want people to see you can fix the mess without embarassing yourself.

Time to fess up and give us the information requested including a detailed history of what you have done along with some proper info from audittools, or restore from backup, read the manual until you understand it, and start again.

I don't want to be harsh but you are wasting hours of people valuable time and getting nowhere.

We can't help those who won't help themselves, or us.

On SME servers:
/sbin/e-smith/audittools/templates
/sbin/e-smith/audittools/newrpms
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
Re: let's encrypt question
« Reply #35 on: January 17, 2023, 07:17:56 AM »
Okay forget the stream certificate that is a dead issue. I tried to install a different certificate under lets encrypt for brendasgetzlaw.com using the method suggested to me here.
https://wiki.koozali.org/Certificates_Concepts#Commercial_certificates
I was informed that it would work and not bother my other certificate the only problem was it messed up the other certificate for kspk.com and it didn't even issue a security certificate for brendasgetzlaw.com now both sites show they are not secure which is 100% unacceptable. feel free to look since I have given you the links. How do I fix the original lets encrypt for kspk.com? when looking in ssh it still shows it is there but this page is different
[root@www ~]# [root@www ~]# config show modSSL
modSSL=service
    CertificateChainFile=/etc/dehydrated/certs/kspk.com/chain.pem
    TCPPort=443
    access=public
    crt=/ibays/Primary/html/.well-known/{brendasgetzlaw.com}.crt
    key=/ibays/Primary/html/.well-known/{brendasgetzlaw.com}.key
    status=enabled
[root@www ~]#

so I figured there is my problem so I tried to change it back too

[root@www ~]# [root@www ~]# config show modSSL
modSSL=service
    CertificateChainFile=/etc/dehydrated/certs/kspk.com/chain.pem
    TCPPort=443
    access=public
    crt=/ibays/Primary/html/.well-known/{kspk.com}.crt
    key=/ibays/Primary/html/.well-known/{kspk.com}.key
    status=enabled
[root@www ~]#

STILL DIDN'T WORK.

Is there a way to restore or undo a mistake in SME SERVER like in Windows where you can system restore like after you get a trojan horse virus????

I think that is the best option here.

PLEASE let me know ASAP.

I think this section has the mistake everything else is normal and is completed via the wiki information here https://wiki.koozali.org/Letsencrypt

[root@www ~]# [root@www ~]# config show modSSL
modSSL=service
    CertificateChainFile=/etc/dehydrated/certs/kspk.com/chain.pem
    TCPPort=443
    access=public
    crt=/ibays/Primary/html/.well-known/{kspk.com}.crt
    key=/ibays/Primary/html/.well-known/{kspk.com}.key
    status=enabled
[root@www ~]#

Okay let me "try" to explain this again
This server is on its own Public IP address and is a Server-only server it is Sme Server 10 the version you guys had in 2021. We have outside people who upload to it via FTP that is only thing that is open to the internet and email is open to the internet all secured with passwords. Everything else is locked down to local networks. This server also hosts a website the original domain of kspk.com which I was hoping of adding another one which I have but I have basically been told adding a ssl certificate will not work.
ALL other INFORMATION is sensitive that I would hope you understand I am NOT willing to share in a PUBLIC forum that just ANYONE can read.

I would prefer an ANSWER to fix this not CRITICISM if I can fix the security certificate for kspk.com that is all I want and I will leave you all alone.

I work other Jobs I don't have the leisure to 100% dedicate my time to this. This is side job.

Thank you for your time. 


Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: let's encrypt question
« Reply #36 on: January 17, 2023, 07:30:10 AM »
just remove every { and }

also those are not the locations suggested:

config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
config setprop modSSL key /home/e-smith/ssl.key/{domain}.key
« Last Edit: January 17, 2023, 07:31:43 AM by bunkobugsy »

Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
Re: let's encrypt question
« Reply #37 on: January 17, 2023, 07:53:03 AM »
Okay did what you said and nothing has changed this is what I have now.

[root@www ~]# config show modSSL
modSSL=service
    CertificateChainFile=/etc/dehydrated/certs/kspk.com/chain.pem
    TCPPort=443
    access=public
    crt=/home/e-smith/ssl.crt/{kspk.com}.crt
    key=/home/e-smith/ssl.key/{kspk.com}.key
    status=enabled
What am I doing wrong?

Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: let's encrypt question
« Reply #38 on: January 17, 2023, 08:00:16 AM »
just remove every { and }

don't think you need CertificateChainFile

look in the log for errors

Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
Re: let's encrypt question
« Reply #39 on: January 17, 2023, 08:19:25 AM »
Okay there removed assuming this is better?

[root@www ~]#  config show modSSL
modSSL=service
    CertificateChainFile=/etc/dehydrated/certs/kspk.com/chain.pem
    TCPPort=443
    access=public
    crt=/home/e-smith/ssl.crt/kspk.com.crt
    key=/home/e-smith/ssl.key/kspk.com.key
    status=enabled
[root@www ~]#
However still didn't fix the problem I don't know how to get rid of the CertificateChainFile I think I got it from here
https://wiki.koozali.org/Letsencrypt
If this shows any values for crt, key, or CertificateChainFile, make a note of them. If you encounter an issue with the certificate files generated by Letsencrypt, you'll then be able to revert your changes. To make a 'backup' of your existing key and properties you can issue:

config show modSSL > "/root/db_configuration_modSSL_backup_$(date +%Y%m%d_%H%M%S)"


Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
Re: let's encrypt question
« Reply #40 on: January 17, 2023, 08:20:01 AM »
Will the problem go away if I remove the security certificate and start over?

Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: let's encrypt question
« Reply #41 on: January 17, 2023, 08:58:16 AM »
config delprop modSSL CertificateChainFile
signal-event console-save
signal-event reboot

if still not working, revert completely:

config delprop modSSL crt
config delprop modSSL key

now you should only have:

#  config show modSSL
modSSL=service
    TCPPort=443
    access=public
    status=enabled

then:
signal-event post-upgrade
signal-event reboot

now you should be back on self-signed

Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
Re: let's encrypt question
« Reply #42 on: January 17, 2023, 09:15:03 AM »
Okay did all of that but still not working how do I get back to the lets encrypt certificate? This is what I have now
[root@www ~]# config show modSSL
modSSL=service
    TCPPort=443
    access=public
    status=enabled
[root@www ~]#

Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
Re: let's encrypt question
« Reply #43 on: January 17, 2023, 09:17:16 AM »
This is what I have when I put in the below

[root@www ~]# config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=2
    configure=none
    email=admin@kspk.com
    hookScript=disabled
    keysize=NUMBER
    signal-event=smeserver-letsencrypt-update
    status=enabled
Not sure what I have messed up

Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: let's encrypt question
« Reply #44 on: January 17, 2023, 09:39:19 AM »
you made some (typing) mistakes, fix them first:
config delprop letsencrypt keysize
config delprop letsencrypt signal-event

now you should only have:
# config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=2
    configure=none
    email=admin@kspk.com
    hookScript=disabled
    status=enabled

then:
db domains setprop kspk.com  letsencryptSSLcert enabled
signal-event smeserver-letsencrypt-update
dehydrated -c -x