Topic: Thoughts on letsencrypt.com?

[guest22]

After installing Python2.7 and pip for instructions at http://wiki.contribs.org/Python_Altinstall

The recommended way to install a different version of Python is via Software collections.


Please see http://wiki.contribs.org/Software_Collections and the python related wiki page specifically.

[KevinG]

The good news is that everything is now working.

However it feels like a bit of a fudge, and I'm not totally sure what has been done.

I will write up everything I have done in a couple of hours, after I have caught up with the work that has been neglected in the last couple of days.

In the mean time:

The problem seems to have been a missing certificate chain file

A test at https://whatsmychaincert.com gave an option to create the correct file, copying this to the server as chain.crt and then

config setprop modSSL CertificateChainFile /etc/letsencrypt/live/mydomain/chain.crt
signal-event post-upgrade; signal-event reboot

seems to have everything working across all browsers (all tested so far anyway!)

Thanks again everyone.

[KevinG]

UPDATE

Not sure why I failed to try this earlier.  You do not need to get a certificate from whatsmychaincert.com

Just add

config setprop modSSL CertificateChainFile /etc/letsencrypt/live/test.mydomain.co.uk/fullchain.pem

Now it can all be updated by a cron job running letsencrypt every once in a while.
It also works for multiple domains with extra -d options in lets encrypt.

[KevinG]

FULL WORKING SOLUTION

NB Let's Encrypt is a public beta so things might change

Prerequisite: You will need Python 2.7 and pip

I followed instructions at  http://wiki.contribs.org/Python_Altinstall
But am told I should have followed instructions at http://wiki.contribs.org/Software_Collections and the python related wiki page specifically.

Let's Encrypt needs virtualenv so:

pip install virtualenv

To use Let's Encrypt run:

mkdir src
cd src
git clone https://github.com/letsencrypt/letsencrypt.git
cd letsencrypt
service httpd-e-smith stop
./letsencrypt-auto certonly --standalone --email me@mydomain.co.uk -d test.firstdomain.co.uk -d seconddomain.co.uk -d www.seconddomain.co.uk

Replacing email and domains as required.  Then configure SME with the certificates generated:

config setprop modSSL crt /etc/letsencrypt/live/test.firstdomain.co.uk/fullchain.pem
config setprop modSSL key /etc/letsencrypt/live/test.firstdomain.co.uk/privkey.pem
config setprop modSSL CertificateChainFile /etc/letsencrypt/live/test.firstdomain.co.uk/fullchain.pem
signal-event post-upgrade; signal-event reboot

There was a suggestion earlier in the forum thread that these certificates should be copied to a different location, but I used the default letsencrypt locations as above.

You can test your setup at https://whatsmychaincert.com

Thanks again to everyone on the forum for all the help.  I could not have done it without you guys.

Kevin

[stephdl]

@KevinG you should start to write a wiki page with the solution of the software collection...or at least with Python_Altinstall...thank in advance

[DanB35]

Agreed on the wiki page.

I'm having trouble with the python27 repo, though--has something changed?

Code: [Select]

[root@sme-test ~]# yum list available \* --disablerepo=* --enablerepo=scl-python27
Loaded plugins: fastestmirror, smeserver
Loading mirror speeds from cached hostfile
https://www.softwarecollections.org/repos/rhscl/python27/epel-6-x86_64/repodata/repomd.xml: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 404 Not Found"
Trying other mirror.
Error: Cannot retrieve repository metadata (repomd.xml) for repository: scl-python27. Please verify its path and try again
[root@sme-test ~]# db yum_repositories show scl-python27
scl-python27=repository
    BaseURL=https://www.softwarecollections.org/repos/rhscl/python27/epel-6-x86_64/
    EnableGroups=no
    Name=Software collections - python27
    Visible=yes
    status=disabled
[root@sme-test ~]#


[KevinG]

Stephdl: No worries on the Wiki.  Assuming it is reasonably straight forward.

Perhaps DanB35 can add something re software collections once he has a handle on it?

Kevin

[guest22]

I already made a placeholder wiki page: letsencrypt

[flep]

I populate the wiki place holder with parts of this thread.

In the installation section i add :

add the 2.7 scl-repository by following : http://wiki.contribs.org/Scl#tab=Python27
Then : yum install python27 --enablerepo=scl-python27
at this time : scl enable python27 bash

And add a simple way to renew :

#!/bin/bash
source /opt/rh/python27/enable
export X_SCLS="`scl enable python27 'echo $X_SCLS'`"
service httpd-e-smith stop
cd /src/letsencrypt
./letsencrypt-auto certonly --standalone --email me@mydomain.co.uk -d test.firstdomain.co.uk -d seconddomain.co.uk -d www.seconddomain.co.uk --renew-by-default
service httpd-e-smith start

[guest22]

Thanks flep.

@others, please provide your feedback (Success, failure and errors)

[DanB35]

Following the procedure now in the wiki (I made a few edits), it worked perfectly for me.  ssllabs.com test shows the new cert and chain, and rates my server as A-.  The renewal script also runs without issues, and without requiring any input.

Edit:  The letsencrypt client docs say that the EPEL repository must be enabled for CentOS6.  I did not find this to be the case.  Although I have that repo installed on my server, it is disabled, and I did not enable it when I ran letsencrypt-auto.

So the next matter is setting up the automatic renewal.  RequestedDeletion linked to the cron manager contrib, which I wasn't aware of, and which would make editing cron jobs a bit easier, but I don't see any way with that to set a job to run every other month, which would be plenty frequent for certificate renewal.  I'd think the cron entry for root should look something like

48 22 3 */2 * /opt/letsencrypt-renew.sh

where letsencrypt-renew.sh is the script that flep posted.  This is set to run at 22:48 on the third of every other month (Feb, Apr, Jun, etc.), which will renew the cert well before it expires in 90 days.  I've chosen that time of day because my daily backup runs at 23:00, so this would make sure the new cert is in that day's backup rather than waiting until the next day's; you'd obviously want to adjust as appropriate for your installation.  The third is a randomly-chosen date.

[DanB35]

...although as I think about it for another minute or two, it seems the renewal script should have a signal-event email-update in it too, to restart the email services that also use the SSL certificates.  Thoughts?

[Stefano]

and a ibay-modify event too, so that even httpd is restarted.. IMO there's no an event like email-update for http

[DanB35]

The signal-event command doesn't support multiple arguments, does it?  Like signal-event domain-modify ibay-modify email-update?

[Stefano]

The signal-event command doesn't support multiple arguments, does it?  Like signal-event domain-modify ibay-modify email-update?

no, each signal-event must be a single command.. (BTW, for example, ibay-modify can accept the ibay name as an argument)