Koozali.org: home of the SME Server

Thoughts on letsencrypt.com?

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Thoughts on letsencrypt.com?
« Reply #225 on: September 09, 2016, 05:41:23 PM »
Yup.... we're slow on the uptake
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

guest22

Re: Thoughts on letsencrypt.com?
« Reply #226 on: September 10, 2016, 06:29:56 PM »

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Thoughts on letsencrypt.com?
« Reply #227 on: September 10, 2016, 06:33:30 PM »
Well we got it working early enough :-)
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Thoughts on letsencrypt.com?
« Reply #228 on: September 13, 2016, 11:16:30 PM »
The downside of big money...

https://github.com/lukas2511/dehydrated

Seems you can no longer call a script whatever you want.

Seems like you'll all have to avoid using feckbook.sh and microslop.pl etc now.

Sorry but this sucks.

I'll try and do a new rpm as soon as I can but it might take a few days. I'll need to think about what to call it......

B. Rgs
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Thoughts on letsencrypt.com?
« Reply #229 on: September 14, 2016, 05:35:05 PM »
New RPM in my repo. Please see the wiki for notes on updating (saves me typing it twice !!)

https://wiki.contribs.org/Letsencrypt
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Thoughts on letsencrypt.com?
« Reply #230 on: October 13, 2016, 06:32:07 AM »
thanks John for your work,

I did some change to the update in order to save the previous registration token.

also is there a kind of pre script where we could put the curl https://acme-v01.api.letsencrypt.org/directory  > /dev/null and curl http://cert.int-x3.letsencrypt.org/ > /dev/null?

at least we could put this before the cron ?

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Thoughts on letsencrypt.com?
« Reply #231 on: October 13, 2016, 12:54:25 PM »
thanks John for your work,

I did some change to the update in order to save the previous registration token.

I left the oringinals there so when you update it should only change settings once it completes successfully.

Quote
also is there a kind of pre script where we could put the curl https://acme-v01.api.letsencrypt.org/directory  > /dev/null and curl http://cert.int-x3.letsencrypt.org/ > /dev/null?

at least we could put this before the cron ?

I don't think so... the second url can vary (I have seen x1 sometimes)

I think there is a deeper issue that needs investigating but am on holiday til next week. I think there may be retry options on the script, though not sure if that is our issue.

I'll look when I get back.

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline DanB35

  • ****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: Thoughts on letsencrypt.com?
« Reply #232 on: October 13, 2016, 02:23:29 PM »
I don't think so... the second url can vary (I have seen x1 sometimes)
Currently it should always be X3; the X1 intermediate cert has been retired, AIUI.  But we will see different intermediate certs in the future, so we shouldn't hardcode URLs this way.  The ACME protocol will return the URL for the intermediate cert, and I believe that's how both certbot and dehydrated (and most of the other clients) construct the "chain" and "fullchain" files.
......

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Thoughts on letsencrypt.com?
« Reply #233 on: October 15, 2016, 05:07:19 PM »
I left the oringinals there so when you update it should only change settings once it completes successfully.

if you don't renew the first one you will start recieving mails to say that your cert has not been renewed which could lead to some incomprehension, so even if it is manually, it is important I think to explain how to transfer their old data to the new path.

I don't think so... the second url can vary (I have seen x1 sometimes)
for the cron we could at least add in /etc/cron.daily/letsencrypt at the beginning

curl https://acme-v01.api.letsencrypt.org >/dev/null
curl http://cert.int-x1.letsencrypt.org/ > /dev/null
curl http://cert.int-x2.letsencrypt.org/ > /dev/null
curl http://cert.int-x3.letsencrypt.org/ > /dev/null

but I am almost certain this could be added in the hook script. Just need to test if they will be launched first.


I think there is a deeper issue that needs investigating but am on holiday til next week. I think there may be retry options on the script, though not sure if that is our issue.

agreed this would be only a workaround...
the problem might more be related to the environement variable when the script is runt, as it was not able to trigger the dns service to resolve the domain, while it wors when you do this as root yourself ( curl ...)


Offline holck

  • ****
  • 317
  • +1/-0
Re: Thoughts on letsencrypt.com?
« Reply #234 on: October 15, 2016, 11:00:25 PM »
On my server I host several domains, one of which (the primary) has a certificate from RapidSSL. Can I use the contrib to provide certificates for the other domains, while retaining the certificate for the primary domain?

Thanks, this certainly looks interesting
Jesper H
......

Offline DanB35

  • ****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: Thoughts on letsencrypt.com?
« Reply #235 on: October 15, 2016, 11:32:49 PM »
On my server I host several domains, one of which (the primary) has a certificate from RapidSSL. Can I use the contrib to provide certificates for the other domains, while retaining the certificate for the primary domain?
Not without some other fairly significant changes to SME.  It's designed to use a single certificate for all hostnames.  However, unless the RapidSSL cert is an EV cert, there's really no reason to keep it.
......

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Thoughts on letsencrypt.com?
« Reply #236 on: October 16, 2016, 01:41:53 AM »
JPP,

Briefly (as I am still on hols)

Existing certs... I have only seen mails relating to test certs (not sure if this can be optionally disabled.... Letsencrypt decided to do this, not me or dehydrated)

If your originals are renewed correctly the old ones should become irrelevant surely ? If they are updated correctly by dehydrated the hook script (should) take care of paths.

Curl.... Hook script only works after the certs are generated, not before, so you'd either need a 'pre' hook or if you think ENV vars them something in cron or the script itself.

Either way it a bodge and not an elegant 'SME' type solution. I'll look further next week and possibly speak to the developer.

Give me a few days.

B. Rgds
JC

PS might it be better to add this contrib to CVS so it can be bugged rather than discussed here on the foros (I tend to miss a lot here)  It can always be obsoleted if it gets built in to SME ?
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation