Koozali.org: home of the SME Server

smeserver-letsencrypt

Offline ReetP

  • *
  • 3,722
  • +5/-0
smeserver-letsencrypt
« on: June 18, 2018, 05:39:34 PM »
Just an update...

I have been messing about with dehydrated and smeserver-letsencrypt as dehydrated now uses the v2 API

We have updated the dehydrated script to v0.6 and the rpm should be in smetest.

However, it won't do anything without an updated smeserver-letsencrypt RPM

I have now built one which is an alpha for messing about before I upload it to buildsys

https://www.reetspetit.com/smeserver/6/repoview/smeserver-letsencrypt.html

1. There is a new key 'API' This enables you to switch the API version. By default dehydrated will remain at v1 when smeserver-letsencrypt is installed until you set API to either '2' or 'auto' and re run dehydrated to update.

Code: [Select]
config setprop letsencrypt API auto
signal-event console-save
dehydrated -c -x
dehydrated --cleanup

BE CAREFUL and don’t break your rate limits if you have a lot of hosts and domains. Use test mode first.....

2. I have added a key letsencrypt hostOverride to ignore 'Self' host check
This is so if you have a Local machine that you SME to obtain a certificate for, you can do it and then use a hook-script to SCP the certs elsewhere.

Where my.host.com is a local IP and not 'Self' :

Code: [Select]
db hosts setprop my.host.com letsencryptSSLcert enabled
config set letsencrypt hostOverride yes

etc.

This removes the need to create a custom domains.txt fragment (I hope) as per the wiki, which I will amend in due course.

Note that there are quite a few more substantial changes in dehydrated/letsencrypt. As and when I can find time and/or brain power I will try and add some more in.

This bug refers: https://bugs.contribs.org/show_bug.cgi?id=10595

Let me know if anything breaks badly please.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: smeserver-letsencrypt
« Reply #1 on: June 19, 2018, 06:24:35 PM »
Should now be in smetest. Mirrors might take a while to sync. I had to add a quick patch as I forgot to remove some debugging lines !

yum --enablerepo=smetest install smeserver-letsencrypt dehydrated

The contrib will default to the v1 API.

We have a couple of new keys:

API version
API: can be set 1, 2, auto (defaults to 1)

hostOverride
By default only hosts that are 'Self' are allowed. This allows you to set other hosts that are not on your server where you need a certificate, but the host does not have http access. e.g. I have a private gitlab host that only runs https and on a different port and want a certificate for that machine.

You will now not necessarily need a domains.txt template override as per the wiki.

Note that the domains.txt file can now create a set of certificates per domain and store them in separate directories.

e.g.

example.com smtp.example.com mail.example.com www.example.com
testdomain.com smtp.testdomain.com mail.testdomain.com www.testdomain.com

You will get a set of directories like this:
/etc/dehydrated/certs/example.com (contains a certificate for all hosts at this domain)
/etc/dehydrated/certs/domain.com (contains a certificate for all hosts at this domain)

HOWEVER. Currently the contrib does NOT currently work with this method. It will take ALL hosts and ALL domains and create ONE certificate. That is due to the way they are deployed currently

I need to look at a patch so that it creates certificates that are relevant to THIS server, and others that are for different servers.

I'll look at that in due course.

hostOverride yes/no (defaults to no)

To change we need to do the following

config setprop letsencrypt API auto

signal-event console-save

dehydrated -c -x

dehydrated --cleanup
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation