Koozali.org: home of the SME Server

FYI: letsencrypt

Offline ElFroggio

  • *
  • 262
  • +0/-0
FYI: letsencrypt
« on: March 25, 2017, 05:44:50 PM »
Just info, in case it happens to other people:

9.1 with a letsencrypt certificate. I use the dehydrated script. The script renews the certificate within 30 days of the expiry.

The problem is letsencrypt.org sending misleading notifications:

Code: [Select]
Hello,

Your certificate (or certificates) for the names listed below will expire in
1 days (on 26 Mar 17 16:31 +0000). Please make sure to renew
your certificate before then, or visitors to your website will encounter errors.

Now my log of the dehydrated script says:

Code: [Select]
/etc/cron.daily/call-dehydrated:

# INFO: Using main config file /etc/dehydrated/config
Processing 911networks.com with alternative names: ................................
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Jun  9 10:26:00 2017 GMT (Longer than 30 days). Skipping renew!

and when I use https://www.ssllabs.com/ssltest/analyze.html I get:

Code: [Select]
[...]
Valid from Sat, 11 Mar 2017 10:26:00 UTC
Valid until Fri, 09 Jun 2017 10:26:00 UTC (expires in 2 months and 14 days)
[...]

Obviously a bug in letsencrypt who somehow forgot to update its database.

Thanks

Syv

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: FYI: letsencrypt
« Reply #1 on: March 25, 2017, 07:13:35 PM »
moving to SME9.x Contrib

Offline DanB35

  • ****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: FYI: letsencrypt
« Reply #2 on: March 26, 2017, 01:05:11 AM »
Let's Encrypt is pretty good with those notifications, but they'll send one if a certificate with the exact same set of hostnames wasn't issued within that time, which is probably what you're running into.
......

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: FYI: letsencrypt
« Reply #3 on: March 26, 2017, 04:50:47 AM »
the thing is you need to pay attention of renewal and migration between old let'Sencrypt path and new dehydrated path.

if you did not migrate old keys, at the first run of dehydrated after changing of the name it issued and created brand new keys and certificates .... Let'S encrypt is probably just sending you a reminder for the previous registration.

I had this very same problem on a server where I did not manually copied the old registration from old path to new.

Offline DanB35

  • ****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: FYI: letsencrypt
« Reply #4 on: March 26, 2017, 12:12:24 PM »
Dehydrated creates new keys (except for the account key) for every renewal anyway.  I don't think the notice is tied to the account key, but it might be.
......

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: FYI: letsencrypt
« Reply #5 on: March 26, 2017, 08:14:23 PM »
Dehydrated creates new keys (except for the account key) for every renewal anyway.  I don't think the notice is tied to the account key, but it might be.
it is.

sorry I was not clear enough to point the account key (there is too many different type of keys here) that were not migrated.

the alert is indeed linked to the old account key that has not renewed its cert as it was not migrated in new contrib. Easy way to get ride of it is to click on the link to unsubscribe. There is maybe an easy way in the mail header to link the message with an account.. but did not try to investigate more.

Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: FYI: letsencrypt
« Reply #6 on: March 27, 2017, 04:49:12 PM »
Just to keep things "simple" (and to avoid installing dehydrated) I started using Letsencrypt manually:

openssl genrsa -out domain.tld.key 2048
openssl req -new -key domain.tld.key -out domain.tld.csr

Visit www.sslforfree.com, follow manual verification steps, copy paste the CSR generated above,
then install private key domain.tld.key and downloaded public key domain.tld.crt and ca_bundle.crt

config setprop modSSL crt /home/e-smith/ssl.crt/domain.tld.crt
config setprop modSSL key /home/e-smith/ssl.key/domain.tld.key
config setprop modSSL CertificateChainFile /home/e-smith/ssl.crt/ca_bundle.crt
signal-event console-save
signal-event email-update

Repeat every 3 months. Don't forget to create account for 1 week/day renewal reminder.

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: FYI: letsencrypt
« Reply #7 on: March 27, 2017, 05:10:17 PM »
"simple", in my vocabulary, means that no human intervention is needed :-)

fix your script (and if you think that you hit a bug, go to bugzilla please) and live happy..
"setup, configure and forget" ;-)

Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: FYI: letsencrypt
« Reply #8 on: March 27, 2017, 07:11:08 PM »
I agree with both your affirmations, but frankly the wording "Work in Progress"
and a bit lengthy and full of custom-templates setup scared me a bit.

So I gave Letsencrypt a go with minimal modifications and thought I share it.

This way I can see that Letsencrypt is trusted by every major browser and mail client (now that StartSSL is distrusted by latest Mozilla, Chrome and IOS).

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: FYI: letsencrypt
« Reply #9 on: March 28, 2017, 10:53:34 PM »
(now that StartSSL is distrusted by latest Mozilla, Chrome and IOS).

Does this have any consequences for a out-of-the-box install of SME 9.x? I assume there are a lot of thunderbird clients running in imap-mode, mozilla firefox for internal web-apps, and so on.

stefan
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline DanB35

  • ****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: FYI: letsencrypt
« Reply #10 on: March 28, 2017, 11:08:38 PM »
No, because an out-of-the-box install of SME (any version) doesn't use a cert from Start SSL.
......

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: FYI: letsencrypt
« Reply #11 on: March 29, 2017, 09:02:31 AM »
DanB35,

thank you for clarification.

stefan
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: FYI: letsencrypt
« Reply #12 on: March 30, 2017, 12:06:00 AM »
If you use the contrib it does most of the heavy lifting for you.

https://wiki.contribs.org/Letsencrypt#Install_with_John_Crisp_contrib

It is used by a number of us without issues and is pretty simple. It had to be for me :-) Getting a basic installation running with the contrib is a work of minutes and virtually zero effort. It also auto renews for you :-)

Current versions of the contrib + dehydrated are in the testing repos.

There are very few templates involved (if you check... read the wiki page right to the bottom and check the RPMs). Yes tbe wiki page needs a big clear up, but the contrib section is pretty good.

If you test and find issues please report in the bug tracker. The quicker that happens the quicker letsencrypt becomes part of the core of Koozali SME....


...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation