Koozali.org: home of the SME Server
Other Languages => Français => Topic started by: ecureuil on February 14, 2020, 11:44:28 PM
-
bonjour,
J'achète un nom de domaine tous les ans chez filnet
Quand les personnes viennent sur une de mes ibays, ils ont un problème avec le certificat de sécurité de ma sme.
J'ai un certificat qui se valide lui-même.
Il n'est pas certifié par une autorité.
Comment faire pour que les personnes n'aient plus ce message?
On m'a orienté sur https://letsencrypt.org/fr/getting-started/
Vous faites comment?
Merci
Anne
-
Search the wiki for letsencrypt and dehydrated.
https://wiki.contribs.org/Letsencrypt
-
Search the wiki for letsencrypt and dehydrated.
https://wiki.contribs.org/Letsencrypt
merci
Après pour configurer, avec filnet, j'ai créé des MX et des A.
J'avoue que je ne maîtrise pas tout
Tous les A sont avec l'IP de ma freebox
Tous les MX sont avec 20 mail.xxxxx.com.
Si je mets
config setprop letsencrypt configure all
quels sont les conséquences?
Anne
-
Each host or domain must be resolvable from the internet to something like this (the directory is created by the contrib)
http://myhost.mydomain.com/.well-known/acme-challenge
Run 'test' mode which will tell you if you have got it right.
If you have one domain I suggest you enable the domain and specific hosts eg
mydomain.com
www.mydomain.com
mail.mydomain.com
You can add more if required.
-
Dans les noms d’hôtes j'ai
ftp.domain.com
mail.domain.com
nuts.domain.com
proxy.domain.com
tux.domain.com
www.domain.com
www2.domain.com
je mets aussi le ftp et le proxy?
pour www2 je ne sais plus pourquoi j'ai cela
Anne
-
As I said above, do it for hosts that you require.
Which ones are your choice..... start simple.....
I'd remove hosts you do not need or use.
-
j'ai déjà fait des bêtises
J'ai fait db domains setprop au lieu de db hosts setprop
Comment enlever les 'domains' en trop?
Comment voir ce que j'ai mis avec 'domains' et 'hosts'?
Anne
-
suite
# db domains show
domain.com=domain
Content=Primary
Description=Primary domain
Nameservers=localhost
Removable=no
SystemPrimaryDomain=yes
letsencryptSSLcert=enabled
# db hosts show
ftp.domain.com=host
ExternalIP=
HostType=Self
InternalIP=
MACAddress=
mail.domain.com=host
ExternalIP=
HostType=Self
InternalIP=
MACAddress=
letsencryptSSLcert=enabled
nuts.domain.com=host
Comment=
ExternalIP=
HostType=Local
InternalIP=10.97.1.80
MACAddress=
pc-00105.domain.com=host
Comment=
ExternalIP=
HostType=Local
InternalIP=10.97.1.51
MACAddress=
proxy.domain.com=host
ExternalIP=
HostType=Self
InternalIP=
MACAddress=
tux.domain.com=host
ExternalIP=
HostType=Self
InternalIP=
MACAddress=
ReverseDNS=yes
static=yes
wpad.domain.com=host
ExternalIP=
HostType=Self
InternalIP=
MACAddress=
www.domain.com=host
ExternalIP=
HostType=Self
InternalIP=
MACAddress=
letsencryptSSLcert=enabled
www2.domain.com=host
Comment=
ExternalIP=
HostType=Self
InternalIP=
MACAddress=
letsencryptSSLcert=enabled
# config show letsencrypt
letsencrypt=service
ACCEPT_TERMS=yes
configure=all
email=admin@domain.com
hookScript=disabled
status=test
# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
+ Generating account key...
+ Registering account key with ACME server...
+ ERROR: An error occurred while sending post-request to https://acme-staging.api.letsencrypt.org/acme/new-reg (Status 403)
Details:
HTTP/1.1 100 Continue
HTTP/1.1 403 Forbidden
Server: nginx
Date: Sat, 15 Feb 2020 17:40:00 GMT
Content-Type: application/problem+json
Content-Length: 280
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Replay-Nonce: 0001GgVRQ-Zk9fpOD1AWlxkrrYJQyoNo-eR-1tx402God_Y
{
"type": "urn:acme:error:unauthorized",
"detail": "Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.",
"status": 403
}
Error registering account key. See message above for more information.
=>
J'ai oublié de faire
# config setprop letsencrypt API 2
# signal-event console-save
# config show letsencrypt
letsencrypt=service
ACCEPT_TERMS=yes
API=2
configure=all
email=admin@domain.com
hookScript=disabled
status=test
# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
+ Generating account key...
+ Registering account key with ACME server...
Fetching missing account information from CA...
+ Creating chain cache directory /etc/dehydrated/chains
Processing domain.com with alternative names: domain.com ftp.domain.com mail.domain.com nuts.domain.com pc-00105.domain.com proxy.domain.com tux.domain.com wpad.domain.com www.domain.com www2.domain.com
+ Creating new directory /etc/dehydrated/certs/domain.com ...
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 10 authorizations URLs from the CA
+ ERROR: An error occurred while sending get-request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/39074804 (Status 405)
Details:
HTTP/1.1 405 Method Not Allowed
Server: nginx
Date: Sat, 15 Feb 2020 18:00:20 GMT
Content-Type: application/problem+json
Content-Length: 103
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Method not allowed",
"status": 405
}
encore erreur
:(
Anne
-
config delprop dehydrated configure
signal-event console-save
Tu ne veux pas configurer un cert pour tous tes hotes pc...
-
Aussi mets à jour https://forums.contribs.org/index.php/topic,54121.30.html
-
Aussi mets à jour https://forums.contribs.org/index.php/topic,54121.30.html
J'ai regardé et je ne vois pas comment faire?
J'ai fait
config delprop dehydrated configure
signal-event console-save
# config show modSSL
modSSL=service
TCPPort=443
access=public
status=enabled
# config show letsencrypt
letsencrypt=service
ACCEPT_TERMS=yes
API=2
configure=none
email=admin@domain.com
hookScript=disabled
status=test
# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
Fetching missing account information from CA...
Processing domain.com with alternative names: mail.domain.com www.domain.com www2.domain.com
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 4 authorizations URLs from the CA
+ ERROR: An error occurred while sending get-request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/39074805 (Status 405)
Details:
HTTP/1.1 405 Method Not Allowed
Server: nginx
Date: Sun, 16 Feb 2020 07:53:36 GMT
Content-Type: application/problem+json
Content-Length: 103
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Method not allowed",
"status": 405
}
Anne
-
Use the dehydrated version 0.6.5-1 in smetest/smedev (I never remember which repo to use)
-
# rpm -qa | grep dehydrated
dehydrated-0.6.2-14.el6.sme.noarch
# rpm -qa | grep letsencrypt
smeserver-letsencrypt-0.5-9.noarch
Au début, j'avais cette erreur
# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
+ Generating account key...
+ Registering account key with ACME server...
+ ERROR: An error occurred while sending post-request to https://acme-staging.api.letsencrypt.org/acme/new-reg (Status 403)
J'avais oublié de faire
# config setprop letsencrypt API 2
Je ne suis pas passée par la version 1
J'ai l'erreur 405
C'est apache qui a un souci?
Anne
-
Each host or domain must be resolvable from the internet to something like this (the directory is created by the contrib)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
http://myhost.mydomain.com/.well-known/acme-challenge
Use the dehydrated version 0.6.5-1 in smetest/smedev (I never remember which repo to use)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
Use the dehydrated version 0.6.5-1 in smetest/smedev
Also in epel.
-
le problème, je ne sais plus faire pour testing ou epel
y-a 10/12 ans que je n'ai pas fait. Tout perdu, ma tête est une passoire
-
trouvé
# yum update smeserver-letsencrypt dehydrated --enablerepo=smetest
...
Mise à jour:
dehydrated noarch 0.6.5-1.el6 smetest 85 k
smeserver-letsencrypt noarch 0.5-11 smetest 36 k
pour l'instant pas fait
-
# yum update dehydrated --enablerepo=smetest
# config show letsencrypt
letsencrypt=service
ACCEPT_TERMS=yes
API=2
configure=none
email=admin@domain.com
hookScript=disabled
status=test
[root@tux letsencrypt]# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
+ Fetching account ID...
Processing domain.com with alternative names: mail.domain.com www.domain.com www2.domain.com
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 4 authorizations URLs from the CA
+ Handling authorization for domain.com
+ Handling authorization for mail.domain.com
+ Handling authorization for www.domain.com
+ Handling authorization for www2.domain.com
+ 4 pending challenge(s)
+ Deploying challenge tokens...
+ Responding to challenge for domain.com authorization...
+ Challenge is valid!
+ Responding to challenge for mail.domain.com authorization...
+ Challenge is valid!
+ Responding to challenge for www.domain.com authorization...
+ Challenge is valid!
+ Responding to challenge for www2.domain.com authorization...
+ Challenge is valid!
+ Cleaning challenge tokens...
+ Requesting certificate...
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
+ Done!
Je pense que c'est ok
-
# config show letsencrypt
letsencrypt=service
ACCEPT_TERMS=yes
API=2
configure=none
email=admin@domain.com
hookScript=disabled
status=test
# cat /etc/dehydrated/config
#!/bin/bash
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
CA="https://acme-staging-v02.api.letsencrypt.org/directory"
PARAM_ACCEPT_TERMS="yes"
# config setprop letsencrypt status enabled
# signal-event console-save
# cat /etc/dehydrated/config
#!/bin/bash
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
CA="https://acme-v02.api.letsencrypt.org/directory"
BASEDIR="/etc/dehydrated"
CONTACT_EMAIL=admin@domain.com
HOOK="/usr/bin/hook-script.sh"
API="2"
PARAM_ACCEPT_TERMS="yes"
J'ai fait
# yum update smeserver-letsencrypt --enablerepo=smetest
J'ai remis en test juste pour tester
# config show letsencrypt
letsencrypt=service
ACCEPT_TERMS=yes
API=2
configure=none
email=admin@domain.com
hookScript=disabled
status=test
# cat /etc/dehydrated/config
#!/bin/bash
CA="https://acme-staging-v02.api.letsencrypt.org/directory"
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
HOOK="/usr/bin/hook-script.sh"
BASEDIR="/etc/dehydrated"
CONTACT_EMAIL=admin@domain.com
API="2"
PARAM_ACCEPT_TERMS="yes"
C'est ok
Je remets en enabled
# config setprop letsencrypt status enabled
# config show letsencrypt
letsencrypt=service
ACCEPT_TERMS=yes
API=2
configure=none
email=admin@domain.com
hookScript=disabled
status=enabled
# cat /etc/dehydrated/config
#!/bin/bash
CA="https://acme-staging-v02.api.letsencrypt.org/directory"
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
HOOK="/usr/bin/hook-script.sh"
BASEDIR="/etc/dehydrated"
CONTACT_EMAIL=admin@domain.com
API="2"
PARAM_ACCEPT_TERMS="yes"
# dehydrated -c -x
# INFO: Using main config file /etc/dehydrated/config
Processing domain.com with alternative names: mail.domain.com www.domain.com www2.domain.com
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Valid till May 16 15:38:14 2020 GMT (Longer than 30 days). Ignoring because renew was forced!
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 4 authorizations URLs from the CA
+ Handling authorization for domain.com
+ Handling authorization for mail.domain.com
+ Handling authorization for www.domain.com
+ Handling authorization for www2.domain.com
+ 4 pending challenge(s)
+ Deploying challenge tokens...
+ Responding to challenge for domain.com authorization...
+ Challenge is valid!
+ Responding to challenge for mail.domain.com authorization...
+ Challenge is valid!
+ Responding to challenge for www.domain.com authorization...
+ Challenge is valid!
+ Responding to challenge for www2.domain.com authorization...
+ Challenge is valid!
+ Cleaning challenge tokens...
+ Requesting certificate...
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
Set up modSSL db keys
Signal events
All complete
+ Done!
Y-a plus qu'à passer de testing en contribs...
merci pour le travail
Anne
-
suite
Je suis retournée sur mon server-manager
Connexion bloquée : problème de sécurité potentiel
Firefox a détecté une menace potentielle de sécurité et a interrompu le chargement de www.domain.com, car ce site web nécessite une connexion sécurisée.
Que pouvez-vous faire ?
Le problème vient probablement du site web, donc vous ne pouvez pas y remédier.
Si vous naviguez sur un réseau d’entreprise ou si vous utilisez un antivirus, vous pouvez contacter les équipes d’assistance pour obtenir de l’aide. Vous pouvez également signaler le problème aux personnes qui administrent le site web.
Que se passe-t-il?
Anne
-
Probably because of the server name/ip address.
www.myserver.com/server-manager probably resolves LOCALLY to 192.168.x.x but the cert is for an 'external' ip.
You cannot generate a certificate for a 'local/private' ip address because it doesn't resolve globally.
How does "www.mydomain.com" look when accessed from the internet in general?
-
coucou
3w point linux-nuts point com
cela donne quoi.
et pour
www2 point linux-nuts point com
Anne
-
www dot linux-nuts dot com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER
Certificates have not been deployed correctly but no idea why.
-
y-a 10/12 ans que je n'ai pas fait. Tout perdu, ma tête est une passoire
Mate, excuse the english, you are not the only one :-)
-
# cat /etc/dehydrated/config
#!/bin/bash
CA="https://acme-v02.api.letsencrypt.org/directory"
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
HOOK="/usr/bin/hook-script.sh"
BASEDIR="/etc/dehydrated"
CONTACT_EMAIL=admin@domain.com
API="2"
PARAM_ACCEPT_TERMS="yes"
# config show letsencrypt
letsencrypt=service
ACCEPT_TERMS=yes
API=2
configure=none
email=admin@domain.com
hookScript=disabled
status=enabled
configure=none => il faut peut-être configurer?
-
config show modSSL
-
# config show modSSL
modSSL=service
CertificateChainFile=/etc/dehydrated/certs/linux-nuts.com/chain.pem
TCPPort=443
access=public
crt=/etc/dehydrated/certs/linux-nuts.com/cert.pem
key=/etc/dehydrated/certs/linux-nuts.com/privkey.pem
status=enabled
-
Certificates have not been deployed correctly but no idea why.
J'aimerais bien un nouvel essai
Anne
-
I don't think you followed the wiki correctly.
https://wiki.contribs.org/Letsencrypt#Enable_Test_Mode
config setprop letsencrypt status test
signal-event console-save
dehydrated -c
If that is OK then go to Production mode
https://wiki.contribs.org/Letsencrypt#Enable_Production_Mode
Once you've successfully tested your installation, set it to production mode using these commands:
config setprop letsencrypt status enabled
signal-event console-save
Then obtain a new certificate from the Let's Encrypt production server:
dehydrated -c -x
The -x flag here is needed to force dehydrated to obtain a new certificate, even though you have an existing certificate that's valid for more than 30 days.
==========
I do not believe you have run dehydrated -c -x properly.
-
j'avais
# config show letsencrypt
letsencrypt=service
ACCEPT_TERMS=yes
API=2
configure=none
email=admin@domain.com
hookScript=disabled
status=enabled
Tous les exemples avaiient configure=none
J'ai remplacé configure=none par configure=domains
Et j'ai l'impression que plus de soucis
-
Domains peut marcher si seulement et si tous tew domaines renseigné pointent en tous temps vers ton sme depuis l’internet. Dans le cas contraire la generation du certificat risque d'échouer. Tu peux decider par exemple dans deux semaines de rejouter un monreseau.local pour un usage particulier en interne et cela plantera ton renouvellement
La technique de garder à none est p’us sécuritaire. On peut ensuite sélectionner des domaines et hotes (sous domaines) à la piece.
-
Je n'ai qu'un domaine ;)
Mais j'ai un paquet de hosts
Ce qui me surprend c'est proxy et ftp sont dans les hosts sur sme
-
Domains peut marcher si seulement et si tous tew domaines renseigné pointent en tous temps vers ton sme depuis l’internet. Dans le cas contraire la generation du certificat risque d'échouer. Tu peux decider par exemple dans deux semaines de rejouter un monreseau.local pour un usage particulier en interne et cela plantera ton renouvellement
La technique de garder à none est p’us sécuritaire. On peut ensuite sélectionner des domaines et hotes (sous domaines) à la piece.
Je n'ai qu'un domaine
Mais beaucoup de hotsts
Comment sélectionner les hosts?
Anne
-
Meme principe tu laisse configure a none
Puis pour les domaines et les hosts qui t’interessent tu fais setprop letsencryptSSLcert enabled
db domains setprop mondomaine letsencryptSSLcert enabled
db hosts setprop monhost.mondomaine letsencryptSSLcert enabled
-
Meme principe tu laisse configure a none
Puis pour les domaines et les hosts qui t’interessent tu fais setprop letsencryptSSLcert enabled
db domains setprop mondomaine letsencryptSSLcert enabled
db hosts setprop monhost.mondomaine letsencryptSSLcert enabled
J'ai bien compris
Avec server-manager
pour domain je n'ai qu'un domaine => facile
domain.com Primary domain Primary Résolu localement
Pour hosts, j'en ai beaucoup
ftp.domain.com Self 10.97.1.1
mail.domain.com Self 10.97.1.1
nuts.domain.com Local 10.97.1.80
pc-00105.domain.com Local 10.97.1.51
proxy.domain.com Self 10.97.1.1
tux.domain.com Self 10.97.1.1
wpad.domain.com Self 10.97.1.1
www.domain.com Self 10.97.1.1
www2.domain.com Self 10.97.1.1
pour wpad je ne sais plus d'où cela vient
j'ai trouvé cela
https://wiki.contribs.org/SME-101.04_Certificat_Let%27s_Encrypt
J'ai vérifié avec Qualsys SSLLabs
Certificate en vert
Protocol Support en orange
Key Exchange en orange
Cipher Strength en vert
pour Key Exchange c'est normal selon celui qui a fait le howto
pour Protocol Support c'est en orange ???
voilà pour mes tests
Anne
-
If you read the manual you will find that proxy, wpad etc are created automatically on install.
They can be ignored or removed.
Amber settings. If you read down the page it tells you why (use google translate). It is probably because apache still supports older versions of TLS.
There are some answers here and in the forums about this. Have a search.
N.B The wiki page you referred to is for older versions of letsencrypt/dehydrated so be careful with the information as it may be out of date.
-
bonjour,
J'ai un serveur sme qui fait serveur et passerelle. J'ai un autre serveur qui se trouve dans le réseau local qui fait serveur seulement.
J'ai mis letsencrypt sur le serveur sme qui fait serveur et passerelle.
Cela fonctionne bien.
Comment faire pour avoir letsencrypt pour le serveur sme qui fait serveur seulement. et qui se trouve dans le réseau local?
J'ai regardé la contrib version française :
Sujets avancés
Obtention de certificats pour d'autres serveurs
J'installe quoi et où, pour avoir le certificat en vert avec firefox avec le serveur local.
Merci
Anne
-
You really need to do some trial and error. It is very frustrating having to retype the entire wiki here for you.
Simply.
Create a host in your Hosts panel and set it to Local and the local IP. From the INTERNET that host will HAVE to resolve to your main SME.
Set the host letsentcryptSSLcert enabled
console-save
Make sure you can ssh/scp from your main SME to the local only SME WITHOUT passwords. Read how on the wiki please.
Either follow the wiki:
https://wiki.contribs.org/Letsencrypt#Obtaining_certificates_for_a_private_SME_Server
Or create your own hook-script template as per the wiki with your settings as per this:
https://wiki.contribs.org/Letsencrypt#Hook_Script_deployment
{
use strict;
use warnings;
use esmith::ConfigDB;
my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
my $letsencryptStatus = $configDB->get_prop( 'letsencrypt', 'status' ) || 'disabled';
if ( $letsencryptStatus ne 'disabled' ) {
$OUT .=<<'_EOF';
if [ $1 = "deploy_cert" ] && [ $2 = "hostname.domain.tld" ]; then
KEY=$3
CERT=$4
CHAIN=$6
scp $CERT root@hostname:/etc/pki/tls/certs/pbx.familybrown.org.crt
scp $KEY root@hostname:/etc/pki/tls/private/pbx.familybrown.org.key
scp $CHAIN root@hostname:/etc/pki/tls/certs/server-chain.crt
ssh root@pbx "/sbin/service httpd reload"
echo "$2 certificate renewed" | mail -s "Certificate renewal" admin@domain.tld
exit 0
fi
_EOF
}
}
Run dehydrated - I suggest plenty of test mode.
You may need to read both the French AND English SEVERAL times before you understand it.
-
You really need to do some trial and error. It is very frustrating having to retype the entire wiki here for you.
Simply.
Create a host in your Hosts panel and set it to Local and the local IP. From the INTERNET that host will HAVE to resolve to your main SME.
Set the host letsentcryptSSLcert enabled
console-save
Make sure you can ssh/scp from your main SME to the local only SME WITHOUT passwords. Read how on the wiki please.
Tout cela c'est ok
J'ai un vpn dessus pour pouvoir y accéder à distance.
Pour la suite je regarde après dodo
C'est la suite où je me demandais si il fallait suivre :
Obtention de certificats pour d'autres serveurs
ou
Obtenir des certificats pour un serveur KOOZALI SME privé
Si j'ai bien compris les 2 sont possibles
Anne
-
J'ai un vpn dessus pour pouvoir y accéder à distance.
I hope it isn't PPTP....
C'est la suite où je me demandais si il fallait suivre :
Obtention de certificats pour d'autres serveurs
ou
Obtenir des certificats pour un serveur KOOZALI SME privé
Si j'ai bien compris les 2 sont possibles
So is your other server a Koozali Private server?
"Comment faire pour avoir letsencrypt pour le serveur sme "
Please think about it.
The method for 'other servers' will work (because Koozali can also be a 'other server') but it was designed to be for more complicated setups.
-
I hope it isn't PPTP....
pas de pptp
Paramètres PPTP
Vous pouvez autoriser l'accès VPN par PPTP à votre serveur. Nous vous recommandons de laisser cette fonctionnalité désactivée en fixant la valeur à 0, à moins que vous n'ayez absolument besoin d'un accès par PPTP.
Nombre de connexions simultanées => 0
So is your other server a Koozali Private server?
"Comment faire pour avoir letsencrypt pour le serveur sme "
Please think about it.
The method for 'other servers' will work (because Koozali can also be a 'other server') but it was designed to be for more complicated setups.
Cela me parait bien plus compliqué.
Si les conditions sont requises, je préfère la solution : serveur privé
;)
sur le serveur privé
# config show modSSL
modSSL=service
TCPPort=443
access=public
status=enabled
(J'ai vu que Gieres est très réactif pour la version française de letsencrypt Merci)
-
PPTP - is very bad.
Use ipsec/openvpn
Si les conditions sont requises, je préfère la solution : serveur privé
Well, only you know if you have a single private SME server..... if you have then there is a simple solution for you....
ModSSL is irrelevant right now.
I have told you above what you need to do. Please read it again.
Yuo must fix this FIRST so that the servers can talk uninterrupted.
"Make sure you can ssh/scp from your main SME to the local only SME WITHOUT passwords. Read how on the wiki please."
Follow the wiki.
-
I have told you above what you need to do. Please read it again.
Yuo must fix this FIRST so that the servers can talk uninterrupted.
Comment voir et faire?
Je ne comprends pas?
Que dois-je faire en premier?
"Make sure you can ssh/scp from your main SME to the local only SME WITHOUT passwords. Read how on the wiki please."
Comment voir si c'est ok ou pas?
Anne
-
Comment voir et faire?
Je ne comprends pas?
Que dois-je faire en premier?
Please, I have not got the time to walk you you through every little detail. This is basic linux ssh usage. There are thousands of pages out there. Look for ssh login with keys, not passwords.
e.g.
https://www.thegeekdiary.com/centos-rhel-how-to-setup-passwordless-ssh-login/
If you cannot transfer files without a password then you cannot transfer a certificate without a password. So do this first.
Comment voir si c'est ok ou pas?
Like this:
Make sure you can ssh/scp from your main SME to the local only SME WITHOUT passwords
Can you login from your main server to your private only server without a password?
You have GOT to try and do some of this yourself.
Just give it a go. Try it. You might learn something by breaking things, which is how WE learned.
You are NOT reading enough and not trying enough.
Once you have tried doing some of this and it breaks then come back and ask. But I can't help you unless you have started to do some work yourself.
This forum is for help when you get stuck. It is not here to tell you in tiny little steps how to do it. You are meant to try and do things by yourself. If you don't you are just going to get ignored.
-
https://www.thegeekdiary.com/centos-rhel-how-to-setup-passwordless-ssh-login/
Generate authentication key
If an SSH authentication-key file does not exist, generate one by running the ssh-keygen command. When prompted for a passphrase, use a blank passphrase if fully password-less login is required:
Générer une clé d'authentification
Si un fichier de clé d'authentification SSH n'existe pas, générez-le en exécutant la commande ssh-keygen. Lorsque vous êtes invité à saisir une phrase secrète, utilisez une phrase secrète vierge si une connexion sans mot de passe est requise:
J'ai fait la commande mais en étant root.
Je n'ai pas d’utilisateur sur ce serveur à part faxadmin root et admin.
Copy the public key to remote host
Use the ssh-copy-id command to install the public half of the newly-generated authentication key into a specific user’s home directory on the remote host. The ssh-copy-id command will then automatically append the identity information into the ~/.ssh/authorized_keys file for the specified user on the remote host (creating ~/.ssh and~/.ssh/authorized_keys if necessary).
Copiez la clé publique sur l'hôte distant
Utilisez la commande ssh-copy-id pour installer la moitié publique de la clé d'authentification nouvellement générée dans le répertoire de base d'un utilisateur spécifique sur l'hôte distant. La commande ssh-copy-id ajoutera alors automatiquement les informations d'identité dans le fichier ~/.ssh/authorized_keys pour l'utilisateur spécifié sur l'hôte distant (en créant ~/.ssh and~/.ssh/authorized_keys si nécessaire).
Je fais comment?
Anne
-
Veuillez excuser mon google français
Restez avec le wiki, tout est là -
Tout d’abord un petit para -
https://wiki.contribs.org/SME_Server:Documentation:User_Manual:Chapter1#Shell_Access
et où tout se réunit, lisez, relisez, et quand vous pensez que vous avez tout relu directement, faites votre propre triche avec des notes, documentez vos étapes lorsque vous faites les choses, permet une excellente vérification des défauts plus tard, tout cela aide -
https://wiki.contribs.org/SSH_Public-Private_Keys#Using_public_keys_for_SSH_authentication
Les références externes sont bonnes pour avoir une compréhension globale, mais le wiki est spécifique au serveur Koozali sme.
Je vous recommande de ne PAS le faire sur une boîte de prod d'abord sans avoir d'expérience, bien mieux pour configurer une machine virtuelle, prendre des instantanés et en casser le shite, le faire exploser, le jeter, c'est un excellent tableau noir :-)
-
Merci pour l'info.
Cela m'aurait bien aidé, j'ai un petit peu galéré
J'ai configuré ssh sans mot de passe entre mes 2 serveurs avec root.
J'ai configuré avec
Obtenir des certificats pour un serveur KOOZALI SME privé
Obtaining certificates for a private SME Server
Pour l'instant, quand je suis avec firefox sur le serveur privé c'est en orange alors qu'avec sme serveur et passerelle c'est vert.
Donc je pense que ce que j'ai fait ne fonctionne pas.
Pour ssh sans mot de passe pas de souci. Testé, cela fonctionne.
Comment voir où se trouve le problème ?
# config show letsencrypt
letsencrypt=service
ACCEPT_TERMS=yes
API=2
configure=all
email=admin@domain.com
hookScript=enabled
host=toto.domain.com
path=/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
status=enabled
user=root
# config show modSSL
modSSL=service
CertificateChainFile=/etc/dehydrated/certs/domain.com/chain.pem
TCPPort=443
access=public
crt=/etc/dehydrated/certs/domain.com/cert.pem
key=/etc/dehydrated/certs/domain.com/privkey.pem
status=enabled
Pourquoi c'est toujours ambré avec firefox pour le serveur interne?
Où chercher?
Anne
-
suite
Je suis de nouveau en test
# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
Processing domain.com with alternative names: domain.com ftp.domain.com mail.domain.com nuts.domain.com pc-00105.domain.com proxy.domain.com tux.domain.com wpad.domain.com www.domain.com www2.domain.com
+ Checking domain name(s) of existing cert... changed!
+ Domain name(s) are not matching!
+ Names in old certificate: domain.com mail.domain.com www2.domain.com www.domain.com
+ Configured names: ftp.domain.com domain.com mail.domain.com nuts.domain.com pc-00105.domain.com proxy.domain.com tux.domain.com wpad.domain.com www2.domain.com www.domain.com
+ Forcing renew.
+ Checking expire date of existing cert...
+ Valid till Jun 5 18:04:16 2020 GMT (Longer than 30 days). Ignoring because renew was forced!
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 10 authorizations URLs from the CA
+ Handling authorization for domain.com
+ Found valid authorization for domain.com
+ Handling authorization for mail.domain.com
+ Found valid authorization for mail.domain.com
+ Handling authorization for www.domain.com
+ Found valid authorization for www.domain.com
+ Handling authorization for www2.domain.com
+ Found valid authorization for www2.domain.com
+ Handling authorization for ftp.domain.com
+ Handling authorization for nuts.domain.com
+ Handling authorization for pc-00105.domain.com
+ Handling authorization for proxy.domain.com
+ Handling authorization for tux.domain.com
+ Handling authorization for wpad.domain.com
+ 6 pending challenge(s)
+ Deploying challenge tokens...
scp: /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge/g18Dd0YGY4bvUegdk3v5c8IVz505v4nmwWUqY0kCWTQ: No such file or directory
Failed to deploy challenge !
# config show letsencrypt
letsencrypt=service
ACCEPT_TERMS=yes
API=2
configure=all
email=admin@domain.com
hookScript=enabled
host=10.97.1.80
path=/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
status=test
user=root
Dans host, il faut mettre quoi?
l'adresse du serveur privé?
j'ai essayé toto.domain.com, adresse ip
J'ai aussi essayé de mettre 10.97.1.1, la passerelle de 10.97.1.80 marche pas non plus
Anne
-
I have had a look at the code (which you should REALLY do yourself). It is so long ago I have forgotten what was in there, and not even sure if I wrote this section.
I *think* there may be a bug in the section:
Obtaining certificates for a private SME Server
The wiki says:
"However, if your SME Server is not accessible from the Internet, the smeserver-letsencrypt contrib provides a method that can be used to validate domain control."
But it also says:
"The hostname of your internal SME Server (example: internal.mydomain.tld) resolves, on the public Internet, to a valid IP address"
When I look at the hook script template here:
/etc/e-smith/templates/usr/bin/hook-script.sh/20challenges
It is clear that this code expects that the internal server can be reached from the internet.
$OUT .= " HOST=\"$host\" # FQDN or IP of public-facing server\n";
I *think* this was written for where the server/gateway machine did not host any public web services and forwarded them to an internal server but I need to have a look.
=============================
Anyway. You can try this. I have NOT tested it so YMMV. Please check carefully and test properly.
Disable the hookscript key.
hookScript disabled
In the following change domain.com to yourdomain.com
Make a dir on your private server:
mkdir /etc/dehydrated/certs/domain.com
Create a template like this (this may not be exact - you will need to test and amend:)
nano /etc/e-smith/templates-custom/usr/bin/hook-script.sh/21challenges
Change internal-server.domain.com to your INTERNAL host name.
{
use strict;
use warnings;
use esmith::ConfigDB;
my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
my $letsencryptStatus = $configDB->get_prop( 'letsencrypt', 'status' ) || 'disabled';
if ( $letsencryptStatus ne 'disabled' ) {
$OUT .=<<'_EOF';
if [ $1 = "deploy_cert" ] && [ $2 = "internal-server.domain.com" ]; then
KEY=$3
CERT=$4
CHAIN=$6
scp $CERT root@hostname:/etc/dehydrated/certs/domain.com/cert.pem
scp $KEY root@hostname:/etc/dehydrated/certs/domain.com/privkey.pem
scp $CHAIN root@hostname:/etc/dehydrated/certs/domain.com/chain.pem
ssh root@internal-server.domain.com "/sbin/e-smith/db configuration setprop modSSL crt /etc/dehydrated/certs/domain.com/cert.pem"
ssh root@internal-server.domain.com "/sbin/e-smith/db configuration setprop modSSL key /etc/dehydrated/certs/domain.com/privkey.pem"
ssh root@internal-server.domain.com "/sbin/e-smith/db configuration setprop modSSL CertificateChainFile /etc/dehydrated/certs/domain.com/chain.pem"
ssh root@internal-server.domain.com "/sbin/e-smith/signal-event ssl-update"
echo "$2 certificate renewed" | mail -s "Certificate renewal" admin@domain.com
exit 0
fi
_EOF
}
}
Regenerate the configs
signal-event console-save
Check /var/log/messages for errors.
Check the hook-script.sh - you should see the extra deploy code.
cat /usr/bin/hook-script.sh
Check with a browser.
-
Je regarde tout cela ce soir.
Pas eu le temps de regarder mais cela va venir...
Je viens de me rendre compte que toutes mes ibays sont en vert avec firefox sauf l'ibay de primary qui est toujours ambré.
(sur mon serveur sme principal : serveur et passerelle)
Bizarre
Primary
# ls -al
total 32
drwxr-xr-x 6 root root 4096 13 mars 2015 .
drwxr-xr-x 26 root root 4096 6 janv. 23:07 ..
drwxr-s--- 2 admin shared 4096 13 mars 2015 .AppleDesktop
drwxr-s--- 2 admin shared 4096 1 mars 2015 cgi-bin
drwxr-s--- 35 admin shared 12288 22 févr. 12:29 files
Normal ou pas?
Je sais pourquoi Primary est en ambré.
Il y a du flash et c'est déclaré non sécurisé.
Je viens de renommer index.html.
J'ai mis la mini page qui arrive quand on crée une ibay que j'ai nommé index.html
!--DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"-->
<HTML>
<HEAD><TITLE>Under construction</TITLE></HEAD>
<BODY BGCOLOR="#FFFFFF"><H1>This web site is under construction</H1></BODY>
</HTML>
et maintenant Primary est en vert.
Ce problème est résolu.
Anne
-
bonjour,
Je me demande si la solution ne serait pas d'installer aussi letsencrypt sur mon serveur privé?
Peut-on avoir vraiment avoir letsencrypt sur le serveur principal (serveur et passerelle) et aussi avec le serveur privé qui se trouve dans le réseau local avec le même certificat?
Anne
-
Ahain, if you read and understood what you are trying to do you would understand that you can install it there if you desperately want to, but it will be of absolutely no use because the letsencrypt servers cannot reach it to resolve and confirm the host because it is private.
So your only option is to obtain the certificate for the private server by lying to letsencrypt, making a certificate on the public server, and copying it to the private server.
That's it. First make sure your publuc server gets its certs properly.
Then copy them over and set modSSL, and then automate it with the script. Simple.
-
Code: [Select]
mkdir /etc/dehydrated/certs/domain.com
domain.com ?
J'ai domain.com sur mon serveur principal et nuts.domain.com sur mon serveur inerne
J'ai créé le script sur le serveur principal : /etc/e-smith/templates-custom/usr/bin/hook-script.sh/21challenges
Regenerate the configs
??? c'est à dire
Je ne sais plus faire :(
trouvé expend-template /usr/bin/hook-script.sh
Bon j'ai essayé mais erreur
dehydrated -c --force
# INFO: Using main config file /etc/dehydrated/config
Processing domain.com with alternative names: domain.com ftp.domain.com mail.domain.com nuts.domain.com pc-00105.domain.com proxy.domain.com tux.domain.com wpad.domain.com www.domain.com www2.domain.com
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Valid till Jun 10 21:23:51 2020 GMT (Longer than 30 days). Ignoring because renew was forced!
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 10 authorizations URLs from the CA
+ Handling authorization for ftp.domain.com
+ Handling authorization for domain.com
+ Handling authorization for mail.domain.com
+ Handling authorization for nuts.domain.com
+ Handling authorization for pc-00105.domain.com
+ Handling authorization for proxy.domain.com
+ Handling authorization for tux.domain.com
+ Handling authorization for wpad.domain.com
+ Handling authorization for www.domain.com
+ Handling authorization for www2.domain.com
+ 10 pending challenge(s)
+ Deploying challenge tokens...
+ Responding to challenge for ftp.domain.com authorization...
+ Challenge is valid!
+ Responding to challenge for domain.com authorization...
+ Challenge is valid!
+ Responding to challenge for mail.domain.com authorization...
+ Challenge is valid!
+ Responding to challenge for nuts.domain.com authorization...
+ Challenge is valid!
+ Responding to challenge for pc-00105.domain.com authorization...
+ Challenge is valid!
+ Responding to challenge for proxy.domain.com authorization...
+ Challenge is valid!
+ Responding to challenge for tux.domain.com authorization...
+ Challenge is valid!
+ Responding to challenge for wpad.domain.com authorization...
+ Challenge is valid!
+ Responding to challenge for www.domain.com authorization...
+ Challenge is valid!
+ Responding to challenge for www2.domain.com authorization...
+ Challenge is valid!
+ Cleaning challenge tokens...
+ Requesting certificate...
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
Set up modSSL db keys
Signal events
All complete
ssh: Could not resolve hostname hostname: Name or service not known
lost connection
ssh: Could not resolve hostname hostname: Name or service not known
lost connection
ssh: Could not resolve hostname hostname: Name or service not known
lost connection
Il n'y a rien dans # ls -al /etc/dehydrated/certs/domain.com/
{
use strict;
use warnings;
use esmith::ConfigDB;
my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
my $letsencryptStatus = $configDB->get_prop( 'letsencrypt', 'status' ) || 'disabled';
if ( $letsencryptStatus ne 'disabled' ) {
$OUT .=<<'_EOF';
if [ $1 = "deploy_cert" ] && [ $2 = "internal-server.domain.com" ]; then
KEY=$3
CERT=$4
CHAIN=$6
scp $CERT root@hostname:/etc/dehydrated/certs/domain.com/cert.pem
scp $KEY root@hostname:/etc/dehydrated/certs/domain.com/privkey.pem
scp $CHAIN root@hostname:/etc/dehydrated/certs/domain.com/chain.pem
ssh root@internal-server.domain.com "/sbin/e-smith/db configuration setprop modSSL crt /etc/dehydrated/certs/domain.com/cert.pem"
ssh root@internal-server.domain.com "/sbin/e-smith/db configuration setprop modSSL key /etc/dehydrated/certs/domain.com/privkey.pem"
ssh root@internal-server.domain.com "/sbin/e-smith/db configuration setprop modSSL CertificateChainFile /etc/dehydrated/certs/domain.com/chain.pem"
ssh root@internal-server.domain.com "/sbin/e-smith/signal-event ssl-update"
echo "$2 certificate renewed" | mail -s "Certificate renewal" admin@domain.com
exit 0
fi
_EOF
}
}
après le expend-template /usr/bin/hook-script.sh
!/bin/bash
# deploy_cert hook will set config database entries for the cert files
# and restart appropriate services
#
if [ $1 = "deploy_cert" ]; then
KEY=$3
CERT=$4
CHAIN=$6
echo "Set up modSSL db keys"
/sbin/e-smith/db configuration setprop modSSL key $KEY
/sbin/e-smith/db configuration setprop modSSL crt $CERT
/sbin/e-smith/db configuration setprop modSSL CertificateChainFile $CHAIN
echo "Signal events"
/sbin/e-smith/signal-event ssl-update
echo "All complete"
fi
# The following all have to be set to enable deploy/clean challenges
#
# hookScript: disabled
# host: 10.97.1.1
# user: root
# path: /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
if [ $1 = "deploy_cert" ] && [ $2 = "domain.com" ]; then
KEY=$3
CERT=$4
CHAIN=$6
scp $CERT root@hostname:/etc/dehydrated/certs/domain.com/cert.pem
scp $KEY root@hostname:/etc/dehydrated/certs/domain.com/privkey.pem
scp $CHAIN root@hostname:/etc/dehydrated/certs/domain.com/chain.pem
ssh root@nuts.domain.com "/sbin/e-smith/db configuration setprop modSSL crt /etc/dehydrated/certs/domain.com/cert.pem"
ssh root@nuts.domain.com "/sbin/e-smith/db configuration setprop modSSL key /etc/dehydrated/certs/domain.com/privkey.pem"
ssh root@nuts.domain.com "/sbin/e-smith/db configuration setprop modSSL CertificateChainFile /etc/dehydrated/certs/domain.com/chain.pem"
ssh root@nuts.domain.com "/sbin/e-smith/signal-event ssl-update"
echo "$2 certificate renewed" | mail -s "Certificate renewal" admin@domain.com
exit 0
fi
les commandes suivantes ont bien fonctionnés :
ssh root@nuts.domain.com "/sbin/e-smith/db configuration setprop modSSL crt /etc/dehydrated/certs/domain.com/cert.pem"
ssh root@nuts.domain.com "/sbin/e-smith/db configuration setprop modSSL key /etc/dehydrated/certs/domain.com/privkey.pem"
ssh root@nuts.domain.com "/sbin/e-smith/db configuration setprop modSSL CertificateChainFile /etc/dehydrated/certs/domain.com/chain.pem"
ssh root@nuts.domain.com "/sbin/e-smith/signal-event ssl-update"
Dans nuts :
# config show modSSL
modSSL=service
CertificateChainFile=/etc/dehydrated/certs/domain.com/chain.pem
TCPPort=443
access=public
crt=/etc/dehydrated/certs/domain.com/cert.pem
key=/etc/dehydrated/certs/domain.com/privkey.pem
status=enabled
Par contre, plein d'erreur à cause des commandes suivantes qui n'ont pas fonctionnées
Par contre les commandes suivantes rien du tout :
KEY=$3
CERT=$4
CHAIN=$6
scp $CERT root@hostname:/etc/dehydrated/certs/domain.com/cert.pem
scp $KEY root@hostname:/etc/dehydrated/certs/domain.com/privkey.pem
scp $CHAIN root@hostname:/etc/dehydrated/certs/domain.com/chain.pem
Il manque la destination
et les fichiers cert.pem, privkey.pem et chain.pem sont des liens
Anne
-
Opération réussie
Sur le serveur privé, il faut créer un répertoire pour récupérer les certificats.
mkdir -p /etc/dehydrated/certs/domain.com
sur le serveur qui fait serveur et passerelle :
créer un template custom
mkdir -p /etc/e-smith/templates-custom/usr/bin/hook-script.sh/
nano /etc/e-smith/templates-custom/usr/bin/hook-script.sh/21challenges
{
use strict;
use warnings;
use esmith::ConfigDB;
my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
my $letsencryptStatus = $configDB->get_prop( 'letsencrypt', 'status' ) || 'disabled';
if ( $letsencryptStatus ne 'disabled' ) {
$OUT .=<<'_EOF';
if [ $1 = "deploy_cert" ] && [ $2 = "domain.com" ]; then
KEY=$3
CERT=$4
CHAIN=$6
scp $CERT root@domain.com:/etc/dehydrated/certs/domain.com/cert.pem root@nuts.domain.com:/etc/dehydrated/certs/domain.com/
scp $KEY root@domain.com:/etc/dehydrated/certs/domain.com/privkey.pem root@nuts.domain.com:/etc/dehydrated/certs/domain.com/
scp $CHAIN root@domain.com:/etc/dehydrated/certs/domain.com/chain.pem root@nuts.domain.com:/etc/dehydrated/certs/domain.com/
ssh root@nuts.domain.com "/sbin/e-smith/db configuration setprop modSSL crt /etc/dehydrated/certs/domain.com/cert.pem"
ssh root@nuts.domain.com "/sbin/e-smith/db configuration setprop modSSL key /etc/dehydrated/certs/domain.com/privkey.pem"
ssh root@nuts.domain.com "/sbin/e-smith/db configuration setprop modSSL CertificateChainFile /etc/dehydrated/certs/domain.com/chain.pem"
ssh root@nuts.domain.com "/sbin/e-smith/signal-event ssl-update"
echo "$2 certificate renewed" | mail -s "Certificate renewal" admin@domain.com
exit 0
fi
_EOF
}
}
puis faire le expand-template
# expand-template /usr/bin/hook-script.sh
# nano /usr/bin/hook-script.sh
#!/bin/bash
# deploy_cert hook will set config database entries for the cert files
# and restart appropriate services
#
if [ $1 = "deploy_cert" ]; then
KEY=$3
CERT=$4
CHAIN=$6
echo "Set up modSSL db keys"
/sbin/e-smith/db configuration setprop modSSL key $KEY
/sbin/e-smith/db configuration setprop modSSL crt $CERT
/sbin/e-smith/db configuration setprop modSSL CertificateChainFile $CHAIN
echo "Signal events"
/sbin/e-smith/signal-event ssl-update
echo "All complete"
fi
# The following all have to be set to enable deploy/clean challenges
#
# hookScript: disabled
# host: 10.97.1.1
# user: root
# path: /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
if [ $1 = "deploy_cert" ] && [ $2 = "domain.com" ]; then
KEY=$3
CERT=$4
CHAIN=$6
scp $CERT root@domain.com:/etc/dehydrated/certs/domain.com/cert.pem root@nuts.domain.com:/etc/dehydrated/certs/domain.com/
scp $KEY root@domain.com:/etc/dehydrated/certs/domain.com/privkey.pem root@nuts.domain.com:/etc/dehydrated/certs/domain.com/
scp $CHAIN root@domain.com:/etc/dehydrated/certs/domain.com/chain.pem root@nuts.domain.com:/etc/dehydrated/certs/domain.com/
ssh root@nuts.domain.com "/sbin/e-smith/db configuration setprop modSSL crt /etc/dehydrated/certs/domain.com/cert.pem"
ssh root@nuts.domain.com "/sbin/e-smith/db configuration setprop modSSL key /etc/dehydrated/certs/domain.com/privkey.pem"
ssh root@nuts.domain.com "/sbin/e-smith/db configuration setprop modSSL CertificateChainFile /etc/dehydrated/certs/domain.com/chain.pem"
ssh root@nuts.domain.com "/sbin/e-smith/signal-event ssl-update"
echo "$2 certificate renewed" | mail -s "Certificate renewal" admin@domain.com
exit 0
fi
puis regénérer les configs
signal-event console-save
Si j'ai oublié quelque chose, je compléterais.
J'ai des questions au sujet du bash /usr/bin/hook-script.sh :
Quelle est la commande à faire pour prendre en compte les mofifications?
dehydrated -c ?
J'ai eu un petit souci avec
# dehydrated -c --force
# INFO: Using main config file /etc/dehydrated/config
Processing domain.com with alternative names: domain.com ftp.domain.com mail.domain.com nuts.domain.com pc-00105.domain.com proxy.domain.com tux.domain.com wpad.domain.com www.domain.com www2.domain.com
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Valid till Jun 11 00:20:52 2020 GMT (Longer than 30 days). Ignoring because renew was forced!
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/new-order (Status 429)
Details:
HTTP/1.1 100 Continue
HTTP/1.1 429 Too Many Requests
Server: nginx
Date: Fri, 13 Mar 2020 01:28:43 GMT
Content-Type: application/problem+json
Content-Length: 421
Connection: keep-alive
Boulder-Requester: 78372275
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002xwxjHl-tBHfWqhq9r4Xqa0F-SBVuNxYk4rVyXB1exh8
{
"type": "urn:ietf:params:acme:error:rateLimited",
"detail": "Error creating new order :: too many certificates already issued for exact set of domains: ftp.domain.com,domain.com,mail.domain.com,nuts.domain.com,pc-00105.domain.com,proxy.domain.com,tux.domain.com,wpad.domain.com,www.domain.com,www2.domain.com: see https://letsencrypt.org/docs/rate-limits/",
"status": 429
}
Cela fonctionne quand même.
Anne
-
"detail": "Error creating new order :: too many certificates already issued for exact set of domains: ftp.domain.com,domain.com,mail.domain.com,nuts.domain.com,pc-00105.domain.com,proxy.domain.com,tux.domain.com,wpad.domain.com,www.domain.com,www2.domain.com: see https://letsencrypt.org/docs/rate-limits/",
"status": 429
1. Too many requests
2. Why pc-00105 ? Does that really resolve on the internet?
Dehydrated commands
Read the manual:
https://github.com/dehydrated-io/dehydrated/blob/master/README.md
You should be test mode until the certificated work correctly.
-
Merci à ReetP pour toutes les pistes qu'il m'a données.
Même si des choses sont obsolètes, pour trouver des informations en français, je me suis beaucoup basée sur
https://dokuwiki.micronator-dev.org/doku.php
C'est très détaillé avec les commandes complètes (très utile quand on a oublié beaucoup de choses)
Comme je me base encore sur
http://smeserver.fr/index.php
Pour voir pour SSL
https://www.ssllabs.com/ssltest/index.html
Ce service en ligne gratuit effectue une analyse approfondie de la configuration de tout serveur Web SSL sur Internet public. Veuillez noter que les informations que vous soumettez ici sont utilisées uniquement pour vous fournir le service. Nous n'utilisons pas les noms de domaine ou les résultats des tests, et nous ne le ferons jamais.
Pour les tests de cette nuit, j'ai surtout fait trop d'essais, même en mode test.
# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
Processing domain.com with alternative names: domain.com ftp.domain.com mail.domain.com nuts.domain.com pc-00105.domain.com proxy.domain.com tux.domain.com wpad.domain.com www.domain.com www2.domain.com
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Valid till Jun 8 15:22:05 2020 GMT (Longer than 30 days). Skipping renew!
Donc je ne voyais pas ce qui se passait...
Donc, j'ai fini par faire plusieurs fois :
dehydrated -c --force
Donc renouveller les certificats
A pas bien aimé le nombre de fois que j'ai demandé
Il fallait faire vite... et pas grand monde pour m'aider cette nuit...
L'écran de mon serveur privé se remplissait de message comme quoi il ne trouvait rien dans /etc/dehydrated/certs/domain.com
Tout cela parce que la commande scp n'était pas bonne dans le template-custom.
Je ne connaissais rien en ssh. Je n'avais jamais utilisé...
A force de farfouiller, j'ai fini par trouver le problème et à réparer le script.
tout cela parce que modssl voulait absolument trouver les certificats qui n'avaient pas été transféré.
# config show modSSL
modSSL=service
CertificateChainFile=/etc/dehydrated/certs/domain.com/chain.pem
TCPPort=443
access=public
crt=/etc/dehydrated/certs/domain.com/cert.pem
key=/etc/dehydrated/certs/domain.com/privkey.pem
status=enabled
J'étais dans une galère la plus complète...Je n'arrivais pas à enlever les 3 lignes du service modssl
- CertificateChainFile=/etc/dehydrated/certs/domain.com/chain.pem
- crt=/etc/dehydrated/certs/domain.com/cert.pem
- key=/etc/dehydrated/certs/domain.com/privkey.pem
Si quelqu'un peut me dire comment on fait. pour modifier un service..
Trouvé, enfin je pense... mais je ne fais plus d'essai intempestif :lol:
J'en ai trop fait cette nuit!
To restore the original certificates:
config delprop modSSL CertificateChainFile
config delprop modSSL crt
config delprop modSSL key
signal-event console-save
pour tester /usr/bin/hook-script.sh comment faire sans lancer dehydrated?
Anne
-
For modSSL use
/sbin/e-smith/signal-event ssl-update
pour tester /usr/bin/hook-script.sh comment faire sans lancer dehydrated?
Copy the basic commands to a bash script and run the bash script....
eg make a file test.sh copy the code to it, make it executable and run it
#!/bin/sh
#KEY=$3
#CERT=$4
#CHAIN=$6
KEY=/etc/dehydrated/certs/mydomain.com/key.pem
CERT=/etc/dehydrated/certs/mydomain.com/cert.pem
CHAIN=/etc/dehydrated/certs/mydomain.com/fullchain.pem
scp -P 2224 $CERT root@1.2.3.4://etc/gitlab/trusted-certs/cert.pem
scp -P 2224 $KEY root@1.2.3.4://etc/gitlab/trusted-certs/privkey.pem
scp -P 2224 $CHAIN root@1.2.3.4:/etc/gitlab/trusted-certs/chain.pem
ssh -p 2224 root@1.2.3.4 "/etc/init.d/apache2 restart"
ssh -p 2224 root@1.2.3.4 "/usr/bin/gitlab-ctl reconfigure"
ssh -p 2224 root@1.2.3.4 "/usr/bin/gitlab-ctl restart"
Or it could be something like:
ssh -p 2224 root@1.2.3.4 "/sbin/e-smith/db configuration setprop modSSL key $KEY"
ssh -p 2224 root@1.2.3.4 "/sbin/e-smith/signal-event ssl-update"
-
bonjour,
Je viens de recevoir un mail pour le renouvellement de mon certificat.
Let's Encrypt certificate expiration notice for domain "domain.com" (and 3 more)
Hello,
Your certificate (or certificates) for the names listed below will expire in 10 days (on 17 May 20 11:51 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.
We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let's Encrypt's current 90-day certificates, that means
renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details.
domain.com
mail.domain.com
www.domain.com
www2.domain.com
For any questions or support, please visit https://community.letsencrypt.org/. Unfortunately, we can't provide support by email.
For details about when we send these emails, please visit https://letsencrypt.org/docs/expiration-emails/. In particular, note that this reminder email is still sent if you've obtained a slightly different certificate by adding or removing names. If you've replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.
If you are receiving this email in error, unsubscribe at http://mandrillapp.com/track/unsub.php?u=30850198&id=cf4d2402b5e84e4ab38740851195580e.E6iERUYp3Za6dIxTjiocrqVr9jo%3D&r=https%3A%2F%2Fmandrillapp.com%2Funsub%3Fmd_email%3Da%252A%252A%252A%252A%2540l%252A%252A%252A%252A.%252A%252A%252A
Regards,
The Let's Encrypt Team
J'ai lu la documentation de
https://wiki.contribs.org/Letsencrypt/fr
=> Si cette commande a réussi, félicitations ! Vous avez réussi à obtenir un certificat TLS de confiance et valide, qui se renouvellera automatiquement à perpétuité.
ou
https://wiki.contribs.org/Letsencrypt
=> If this command succeeded, congratulations! You've successfully obtained a valid, trusted TLS certificate, which will automatically renew itself in perpetuity.
C'est automatque ou pas?
J'ai quelque chose à faire?
Merci
Anne
(Merci à Gieres pour toutes les traductions )
-
Did you read the links?????
I don't think so. PLEASE read this stuff.
https://letsencrypt.org/docs/expiration-emails
-
J'avais oublié de donner la réponse.
cela a bien fonctionné.
Le certificat a été renouvelé automatiquement.
Anne