Koozali.org: home of the SME Server

Letsencrypt - a successful instance

Offline MSmith

  • *
  • 675
  • +0/-0
Letsencrypt - a successful instance
« on: May 09, 2017, 10:43:16 PM »
Here are the commands I ran on a fresh 9.2 install to get a working certificate for use with devices outside the SME's network, i.e. no having to accept a self-signed certificate.

Feedback from John Crisp, developer of the smeserver-letsencrypt contrib, was crucial. He noted that all names and domains must resolve and be reachable via Internet DNS in order for this to succeed, and he pointed out the need for ACCEPT_TERMS.

I had tried with the following:

config setprop setprop letsencrypt configure all

And it apparently ran without error, but no certificates were generated in the next steps because letsencrypt's servers couldn't reach all of www.[DOMAIN].[TLD], ftp, etc.

Here's what DID work. Items in brackets are redacted or replaced with generic names for privacy.
I should note that I was only trying to make it so that phones, tablets, and computers outside the SME's network would be able to send & receive email without having to accept/install a self-signed certificate.

*****************************************************

yum install --enablerepo=smedev smeserver-letsencrypt

signal-event post-upgrade; signal-event reboot

db hosts setprop [HOST].[DOMAIN].[TLD] letsencryptSSLcert enabled

config setprop letsencrypt ACCEPT_TERMS yes

config setprop letsencrypt email [redacted]

expand-template /etc/dehydrated/config

config setprop letsencrypt status enabled

signal-event console-save

dehydrated -c -x

*****************************************************

And now external clients can access the SME 9.2 server without accepting a self-signed certificate.

Relevant bug reports:
https://bugs.contribs.org/show_bug.cgi?id=10253
https://bugs.contribs.org/show_bug.cgi?id=10274





...

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Letsencrypt - a successful instance
« Reply #1 on: May 10, 2017, 06:47:08 PM »
Thank you for sharing. Few notes:

- rpms are now in smecontribs
- it is suggested to first try with test enabled to avoid to be blacklisted in case your trials fail (but if tou only enable domains you inow they resolve correctly to your server you should be good)
- the expand template is not needed as it is done by the console save event.

Have a look at the rush job on the wiki page https://wiki.contribs.org/Letsencrypt#Rush_jobs