Koozali.org: home of the SME Server

Question about letscrypt.

Offline Drifting

  • ****
  • 431
  • +0/-0
Question about letscrypt.
« on: September 09, 2019, 05:26:34 PM »
Hi all.
After getting my fingers burnt with my crazy notion of domain naming, and now just testing out on one of my home domains. I now have the correct domain name, and have installed letscrypt. However it has failed on the testing stage. Now I and almost certain this is because I host my website with my ISP, and it appears to want to check something on the site, which of course it cannot find?
How do I get over this one? Do I have to move my website onto the SME box to make this work? Not something I would want to do to be honest.

Did not add this to the exsiting questions re letscrypt as I felt mine was a more mundane issue.

Paul.
Infamy, Infamy, they all have it in for me!

Online ReetP

  • *
  • 3,722
  • +5/-0
Re: Question about letscrypt.
« Reply #1 on: September 09, 2019, 11:57:58 PM »
You need to have a read about what letsencrypt is and does.

Letsencrypt works usually by looking up each host eg www, mail, smtp and trying to connect to a special directory at that IP to make sure it is you.

So if your www.domain.com.is elsewhere you have two problems.

One is letsencrypt can't get to the directory becase www knows nothing about it, just SME.

Secondly, if you do create a cert on your SME it is no use there for www. It needs to be installed on the server at your ISP....

So either get your ISP to install a letsencrypt cert for your server www or move www elsewhere that you control.

Personally I have a few VMs with vultr.com.and digitalocean.com

Each runs a SME and hosts JUST the www host using letsencrypt.

You can then run your other hosts at home with their own cert. Or use a hook scriot to copy certs elsewhere. There are various permutations.

First thing though is to read more on SSL and letsencrypt in general.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Question about letscrypt.
« Reply #2 on: September 10, 2019, 12:38:46 AM »
Well,

You might have also the situation where you need the cert on two servers:
http://Http://Mydomain.tld is on server 1
But
imap and pop for mydomain.tld is on the sme server.

In this case you might either use dns for validation or use the hook to let the verification occurs on the server 1 and reupload the cert on both servers.

Offline Drifting

  • ****
  • 431
  • +0/-0
Re: Question about letscrypt.
« Reply #3 on: September 10, 2019, 10:16:47 AM »
Thank you so much for the reply, think I understand what you are saying.  being partially sighted it takes me hours to read some of the documentation, and even worse trying to understand it!
You are right, my ISP does have letscrypt on my hosted website with them, so really I just need a certificate for my mail server which is at home. So in my case www.mywebsite.co.uk goes to my ISP, and mail.mywebsite.co.uk goes to my SME server. So you are saying I can use DNS to resolve this? Will try and have a read up on how.

Thanks again Paul
Infamy, Infamy, they all have it in for me!

Online ReetP

  • *
  • 3,722
  • +5/-0
Re: Question about letscrypt.
« Reply #4 on: September 10, 2019, 10:40:01 AM »
Ok... !!

You are not going to be able to add a certificate to your ISP hosted website yourself. They control the web server. So do the www part via your ISP.

For the rest of your host names just use letsencrypt to get a certificate for each one.

You do not need to worry about anything fancy as long as you can browse to each host eg

mail.mywebsite.co.uk

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Question about letscrypt.
« Reply #5 on: September 10, 2019, 11:38:22 PM »
In your case just enable mail.mywebsite.co.uk for letsencrypt using the regular http verification and will just work.

Just pay attention to configure everything related to your sme to point to this particular domain to avoir certificate error.

Offline Drifting

  • ****
  • 431
  • +0/-0
Re: Question about letscrypt.
« Reply #6 on: September 11, 2019, 11:17:45 AM »
Might need a little help please.
I understand that I needed to add the mail.mydomain.co.uk, and from what I read I should do:-
db hosts setprop mail.mydomain.co.uk letsencryptSSLcert enabled
It states in the contrib info that you need to do:-
For each DOMAIN that you want to be included in the certificate, run this command:
db domains setprop $DOMAIN letsencryptSSLcert enabled
In my case do I need to do that? was not sure? and did....Sorry to be such a dunce!

Anyway, now I got this :-

[root@mail ~]# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
Processing mydomain.co.uk
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting authorization for mydomain.co.uk...
 + 1 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for mydomain.co.uk authorization...
 + Cleaning challenge tokens...
 + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:unauthorized",
    "detail": "Invalid response from http://mydomain.co.uk/.well-known/acme-challenge/PnDeek_iiwZ48bgVqfNgyashNw67UK__d7D_Qo3L4iw [212.69.40.200]: \"\u003c!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\"\u003e\\n\u003chtml\u003e\u003chead\u003e\\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\\n\u003c/head\u003e\u003cbody\u003e\\n\u003ch1\u003eNot Found\u003c/h1\u003e\\n\u003cp\"",
    "status": 403
  },
  "uri": "https://acme-staging.api.letsencrypt.org/acme/chall-v3/7907347/motSYQ",
  "token": "PnDeek_iiwZ48bgVqfNgyashNw67UK__d7D_Qo3L4iw",
  "validationRecord": [
    {
      "url": "http://mydomain.co.uk/.well-known/acme-challenge/PnDeek_iiwZ48bgVqfNgyashNw67UK__d7D_Qo3L4iw",
      "hostname": "mydomain.co.uk",
      "port": "80",
      "addressesResolved": [
        "212.69.40.200"
      ],
      "addressUsed": "212.69.40.200"
    }
  ]
})
[root@mail ~]# config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    configure=none
    email=admin@mydomain.co.uk
    hookScript=disabled
    status=test

The IP ending in 200 is my ISPs webserver.

Thanks for all the help.

Paul.

Infamy, Infamy, they all have it in for me!

Online ReetP

  • *
  • 3,722
  • +5/-0
Re: Question about letscrypt.
« Reply #7 on: September 11, 2019, 11:59:21 AM »
Might need a little help please.
I understand that I needed to add the mail.mydomain.co.uk, and from what I read I should do:-
db hosts setprop mail.mydomain.co.uk letsencryptSSLcert enabled
It states in the contrib info that you need to do:-
For each DOMAIN that you want to be included in the certificate, run this command:
db domains setprop $DOMAIN letsencryptSSLcert enabled
In my

Do you want a domain as well, or just a host???

JP stated how to do it above:

In your case just enable mail.mywebsite.co.uk for letsencrypt using the regular http verification and will just work.

You just want one host.

So you just need mail.mydomain.co.uk

Simples.

I does say this pretty clearly in the docs.

Quote
For each DOMAIN that you want to be included in the certificate, run this command:

Quote
For each HOSTNAME that you want to be included in the certificate, run this command:

You want one host and no domain.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Drifting

  • ****
  • 431
  • +0/-0
Re: Question about letscrypt.
« Reply #8 on: September 11, 2019, 12:39:49 PM »
Clearly for you, was not so clear to me at the time, just assumed it need it at the time. (Told you I was dense)

So how do I now remove the errant domain I have put in? This is what I assume? expect I am wrong again?
db domains setprop mydomain.co.uk  letsencryptSSLcert disabled

Thanks for your patience, I do really do appreciate both of your help.

Paul.
« Last Edit: September 11, 2019, 02:52:09 PM by Drifting »
Infamy, Infamy, they all have it in for me!

Online ReetP

  • *
  • 3,722
  • +5/-0
Re: Question about letscrypt.
« Reply #9 on: September 11, 2019, 12:56:40 PM »
Clearly for you, was not so clear to me at the time, just assumed it need it at the time.
So how do I now remove the errant domain I have put in? This is what I assume? expect I am wrong again?
db domains setprop mydomain.co.uk  letsencryptSSLcert disabled

Thanks for your patience, I do really do appreciate both of your help.

You know what they say about Ass U Me ;-)

As per the wiki you can use standard SME commands to manipulate the DBs so yes, this:

Code: [Select]
db domains setprop mydomain.co.uk  letsencryptSSLcert disabled
Or:

Code: [Select]
db domains delprop mydomain.co.uk letsencryptSSLcert
« Last Edit: September 11, 2019, 03:15:01 PM by ReetP »
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Drifting

  • ****
  • 431
  • +0/-0
Re: Question about letscrypt. Resolved
« Reply #10 on: September 11, 2019, 04:21:49 PM »
Thank you both so much, all resolved and working. Now the fight with DKIM and SPF!

Paul.
Infamy, Infamy, they all have it in for me!

Online ReetP

  • *
  • 3,722
  • +5/-0
Re: Question about letscrypt. Resolved
« Reply #11 on: September 12, 2019, 01:57:33 PM »
Thank you both so much, all resolved and working. Now the fight with DKIM and SPF!

Fab!!   :pint:

DKIM & SPF - yes :-)

Should not be too bad. Just read very carefully, 25 times at least ;-)
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation