Topic: Letsencrypt panel is looking great!

[compdoc]

Thats it, thats the post.

[Jean-Philippe Pialasse]

that is a WIP, all the backend is working as cli, but we still have a few bits to attach to it !

But thanks for the feedback, it is good to hear and gives us some good energy to keep on !

[Jes]

Where/how to see the Letsencrypt panel?

[ReetP]

Where/how to see the Letsencrypt panel?

As per above:

that is a WIP, all the backend is working as cli, but we still have a few bits to attach to it !

You need a fully updated v11 Alpha.

Start here. Note there are lots of pitfalls still, hence Alpha status. "Liable to break a lot"

https://wiki.koozali.org/Main_Page

Letsencrypt is still Work In Progress but has risen almost to the top of the ToDo list.

So on Alpha YMMV.

It should be usable by Beta. We hope to have one in the next few weeks.

If you want to help develop and test Koozali v11, or just hangout & chat, please ask DM for a Rocket account which is where the action is.....

[Jes]

I have a fully updated v11 Alpha. installed but can't see Letsencrypt in the control panel?

As per above:

You need a fully updated v11 Alpha.

Start here. Note there are lots of pitfalls still, hence Alpha status. "Liable to break a lot"

https://wiki.koozali.org/Main_Page

Letsencrypt is still Work In Progress but has risen almost to the top of the ToDo list.

So on Alpha YMMV.

It should be usable by Beta. We hope to have one in the next few weeks.

If you want to help develop and test Koozali v11, or just hangout & chat, please ask DM for a Rocket account which is where the action is.....

[ReetP]

I have a fully updated v11 Alpha. installed but can't see Letsencrypt in the control panel?

Networking, Letsencrypt certificates.

If you can't see it then you aren't up to date or have something wrong.

Note it's not in server-manager which is deprecated and will be removed. It is in the new manager at /smanager

Note the panel displays basics but is NOT fully functional yet. We hope this will be completed in the next few weeks.

[Jean-Philippe Pialasse]

simply use new panel at /smanager instead of old at /server-manager.

the old one will be removed before final release and url will be adjusted then.

[Fumetto]

simply use new panel at /smanager instead of old at /server-manager.

the old one will be removed before final release and url will be adjusted then.

Hope redirect...

You've piqued my curiosity, if I have time tonight I'll try to install a VM on the fly and see "where we are at".
I know... if I collaborate it will be quicker... but time is scarce, commitments abound, my secret partner (the state) is breathing down my neck and my 3-year-old niece is not collaborating (to have a bit of peace to concentrate I have to wait for her to fall asleep).

[Knuddi]

I have started to use SME 11 and it's looking great. The Let's Encrypt certificates seems to work perferctly on HTTPS level, but for email (SSMTP/IMAPS/TLS) it doesn't seem to get updated and it uses the self-signed certificates. Am I missing something and/or do you have a "manual hack" what and where to copy certificates if this is not yet part of the Beta?

I use https://www.checktls.com/TestReceiver to test the TLS.

SSLVersion in use: TLSv1_3
Cipher in use: TLS_AES_256_GCM_SHA384
Perfect Forward Secrecy: yes
Session Algorithm in use: Curve X25519 DHE(253 bits)
Certificate #1 of 2 (sent by MX):
Cert VALIDATION ERROR(S): self signed certificate
So email is encrypted but the recipient domain is not verified

[compdoc]

The Let's Encrypt certificates seems to work perferctly on HTTPS level,

It's odd that you say that. I've had letsencrypt working well on SME10 for a long time, using the instructions located at:

https://wiki.koozali.org/Letsencrypt

But after spending hours on a couple of attempts with Alpha and one attempt with Beta to manually set up letsencrypt using those same instructions, I've never managed to get Dehydrated to work with SME11.

For security purposes, it seems to me that SME has always been locked down in various ways. The letsencrypt panel it's only informational at this point, but someone with knowledge of the internal workings of SME needs to do the work of getting Dehydrated working manually first. That would make the creation of the smanager panel much simpler, IMO. 

[Knuddi]

Dehydrated works just fine for me (using the shell) and it gets certificates for all the hosts that I have enabled for LetsEncrypt. The retrieved certificates are also placed correctly for HTTPS, but for alle mail purposes it doesn't.

[Knuddi]

What ought to be the content of /var/service/qpsmtpd/ssl/cert.pem is a merge of privkey, cert, chain.pem but is the self signed certificate. ModSSL has been configured:

[root@mail dehydrated]# config show modSSL
modSSL=configuration
    CertificateChainFile=/etc/dehydrated/certs/swerts-knudsen.dk/chain.pem
    TCPPort=443
    access=public
    crt=/etc/dehydrated/certs/swerts-knudsen.dk/cert.pem
    key=/etc/dehydrated/certs/swerts-knudsen.dk/privkey.pem
    status=enabled

a "signal-event email-update" or/and "signal-event ssl-update" but the qpsmtpd certificate file does not update.

So start of the hack that ought to be expanded by lets' encrypt integration:

cp /etc/dehydrated/certs/<primary domain>/privkey.pem /var/service/qpsmtpd/ssl/cert.pem
cat /etc/dehydrated/certs/<primary domain>/cert.pem >> /var/service/qpsmtpd/ssl/cert.pem
cat /etc/dehydrated/certs/<primary domain>/chain.pem >> /var/service/qpsmtpd/ssl/cert.pem
systemctl restart qpsmtpd.service

Now SMTP (Port 25) is OK according to checktls.com but it will be overwritten anytime, and all other services (except from HTTP) seems not to be updated either

[Knuddi]

Sorry to spam here and not in Bugzilla.....

I think the cause has been found in /etc/e-smith/templates/home/e-smith/ssl.pem/20key and "related_key_cert"

my $key = ( defined $modSSL{'key'} and defined $modSSL{'crt'} and related_key_cert($modSSL{'key'},$modSSL{'crt'}) ) ? $modSSL{'key'}  : $dkey;


It seems that the Let's Encrypt certificates are not related in this check and hence are not used for any other certificates in the system. The HTTPS (http.conf) is not using this check.

Could it be related to https://bugs.koozali.org/show_bug.cgi?format=multiple&id=11620?

[Knuddi]

Resolved (that was a tough one..). It turned out that the default public key algorithm (secp384r1 ) used in dehydrated is not supported in SME 11x. When I changed to a plain rsa configuration, all turned green

# Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
# KEY_ALGO=secp384r1 (default)
#elliptic curve was not supported  (qpsmtpd and perl-IO-Socket-SSL < 1.95)
# SME 11 has perl-IO-Socket-SSL-2.066
KEY_ALGO=rsa


To keep this permanent the template must be changed in:
/etc/e-smith/templates/etc/dehydrated/config/45Algorithm

[ReetP]

Sorry to spam here and not in Bugzilla.....

So don't.

Do what we always say and open a bug or ask on Rocket - you have an account?

Remember, this is Beta, not a production release.

It is likely to have lots of bugs, but hopefully not breaking ones.

Bug it.