Koozali.org: home of the SME Server

Obsolete Releases => SME 9.x Contribs => Topic started by: michelandre on September 09, 2018, 04:33:48 PM

Title: [SOLVED] Let's Encrypt and SSH port
Post by: michelandre on September 09, 2018, 04:33:48 PM

Hi all,

I use the Let's Encrypt contrib to ask for a certificate for an internal SME Server-9.2.

All the configuration for domain names and host names are OK.

On the internal server, I generate the key for the root SSH public key authentication, transfer it to the main gateway SME Server, test the login without password from internal to gateway and all looks OK.

On the internal server, I set the four database entries.

All my SSH port use 3333 as the port number.

I run the dehydrated -c command and received:

Code: [Select]

...
 + Requesting challenge for www.toto.org
ssh: connect to host micronator.org port 22: Connection refused
lost connection
 Failed to deploy challenge !

On the internal server:

Code: [Select]

# config show sshd
sshd=service
    AutoBlock=disabled
    AutoBlockTime=900
    AutoBlockTries=4
    LoginGraceTime=600
    MaxAuthTries=2
    MotdStatus=enabled
    PasswordAuthentication=yes
    PermitRootLogin=yes
    Protocol=2
    TCPPort=3333
    UsePAM=yes
    access=public
    status=enabled
#

On the gateway server:

Code: [Select]

#  config show sshd
sshd=service
    AutoBlock=disabled
    AutoBlockTime=900
    AutoBlockTries=4
    LoginGraceTime=600
    MaxAuthTries=2
    MotdStatus=enabled
    PasswordAuthentication=yes
    PermitRootLogin=yes
    Protocol=2
    TCPPort=3333
    UsePAM=yes
    access=private
    status=enabled
#

Is there a way to specify the port for the dehydrated  command?

Thank you all,

Michel-André

Title: Re: Let's Encrypt and SSH port
Post by: ReetP on September 09, 2018, 09:22:01 PM

Mixing your metaphors.

Dehydrated itself only runs over 80.

It's the hook script to transfer the certs I think you have wrong.

Read this

https://wiki.contribs.org/Letsencrypt#Advanced_Topics

Make sure you can do a passwordless shh from the dehydrated server to the internal server that you are copying the cert to.

Title: Re: Let's Encrypt and SSH port
Post by: michelandre on September 13, 2018, 05:53:36 AM

Hi ReetP

For sure, it is not working with a port different than 22.

If I change the port of main and local server to 22, all is working fine.

The definition of the port in the /usr/bin/hook-script.sh is not define, it "assumes" it is always 22. Assuming...!

If I add the port in this script file, all is working well.

Code: [Select]

...
 REMOTE_PATH="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
  if scp -P 3333 $WELLKNOWN/$CHALLENGE_FILE $USER@$HOST:$REMOTE_PATH/$CHALLENGE_FILE; then
    exit 0
  else
...
  REMOTE_PATH="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
  if ssh -p 3333 $USER@$HOST "rm $REMOTE_PATH/$CHALLENGE_FILE"; then
    exit 0
  else
...
IANAP but at the beginning of the file, if you define the port:

Code: [Select]

PORT=$(config show sshd | grep TCPPort | grep -o -E '[0-9]+')
Then

Code: [Select]

...
  if scp -P $PORT $WELLKNOWN/$CHALLENGE_FILE $USER@$HOST:$REMOTE_PATH/$CHALLENGE_FILE; then
...
  if ssh -p  $PORT $USER@$HOST "rm $REMOTE_PATH/$CHALLENGE_FILE"; then
...
The script should work with any SSH port.

My 2¢

Michel-André

Title: Re: [SOLVED] Let's Encrypt and SSH port
Post by: ReetP on September 13, 2018, 10:08:52 AM

Ahhhhh ok.

Hmmm. Tricky.

The hook script was really a quick simple solution. You can add in extra fragments to it though.

Your code is ok but makes the assumption that the far end has the same SSH port as the local end.... not necessarily the case

Only way you could sort that is to add a SSHPort key to the host/domain.

Or add a letsencrypt SSHPort key for the default hook, and let users set their own via additional template fragments.

I already have code in smetest for the V2 API which will get released soon. I'll take a look at this when I get 5 minutes.

Title: Re: [SOLVED] Let's Encrypt and SSH port
Post by: michelandre on September 13, 2018, 12:05:02 PM

Hi ReetP,

Quote

Your code is ok but makes the assumption that the far end has the same SSH port as the local end.... not necessarily the case

Since I only have to copy the local SSH key from the local end to the far end, I think that the far end does not communicate through SSH to the local end?

Michel-André

Title: Re: [SOLVED] Let's Encrypt and SSH port
Post by: ReetP on September 13, 2018, 12:48:48 PM

You are missing the point and confusing server and client.

Code: [Select]

config getprop sshd TCPPort
That is the port on which THIS 'local' server is running. NOT the remote end which could be something completely different.

Imagine the remote end is on 2233.

You look up your local port which is 2222 and try to connect. It will fail.

When you use ssh or scp local machine -> remote machine, the default port ssh port that is used to connect is picked from ssh_config, NOT sshd_config/ TCPPort. They are NOT the same thing.

So you can either hard code it into a template fragment, or add a SSH TCPPort for each host/domain you want too connect to.

Coding in the template fragment will be easiest....

Title: Re: [SOLVED] Let's Encrypt and SSH port
Post by: michelandre on September 13, 2018, 02:21:46 PM

Hi ReetP,

In local server(s):

Code: [Select]

# touch /root/.ssh/config

# vi /root/.ssh/config

Host 192.168.1.1
Port 3331

Host 192.168.1.10
Port 3310

Host 192.168.1.20
Port 3320

Host 192.168.2.0/24
Port 2222
I modified the script of the local machine because on my LAN, all servers use the same SSH port.

If using config file, there is no need to modify the script,

Michel-André