Koozali.org: home of the SME Server

certificat de sécurité

Offline ecureuil

  • *
  • 261
  • +0/-0
certificat de sécurité
« on: February 14, 2020, 11:44:28 PM »
bonjour,

J'achète un nom de domaine tous les ans chez filnet
Quand les personnes viennent sur une de mes ibays, ils ont un problème avec le certificat de sécurité de ma sme.

J'ai un certificat qui se valide lui-même.
Il n'est pas certifié par une autorité.

Comment faire pour que les personnes n'aient plus ce message?

On m'a orienté sur https://letsencrypt.org/fr/getting-started/

Vous faites comment?

Merci
Anne

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: certificat de sécurité
« Reply #1 on: February 15, 2020, 12:10:45 AM »
Search the wiki for letsencrypt and dehydrated.

https://wiki.contribs.org/Letsencrypt
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ecureuil

  • *
  • 261
  • +0/-0
Re: certificat de sécurité
« Reply #2 on: February 15, 2020, 01:47:24 PM »
Search the wiki for letsencrypt and dehydrated.

https://wiki.contribs.org/Letsencrypt

merci

Après pour configurer, avec filnet, j'ai créé des MX et des A.
J'avoue que je ne maîtrise pas tout

Tous les A sont avec l'IP de ma freebox
Tous les MX sont avec 20 mail.xxxxx.com.

Si je mets
config setprop letsencrypt configure all

quels sont les conséquences?

Anne

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: certificat de sécurité
« Reply #3 on: February 15, 2020, 02:27:28 PM »
Each host or domain must be resolvable from the internet to something like this (the directory is created by the contrib)

http://myhost.mydomain.com/.well-known/acme-challenge

Run 'test' mode which will tell you if you have got it right.

If you have one domain I suggest you enable the domain and specific hosts eg

mydomain.com
www.mydomain.com
mail.mydomain.com

You can add more if required.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ecureuil

  • *
  • 261
  • +0/-0
Re: certificat de sécurité
« Reply #4 on: February 15, 2020, 04:38:37 PM »
Dans les noms d’hôtes j'ai

ftp.domain.com
mail.domain.com
nuts.domain.com
proxy.domain.com
tux.domain.com
www.domain.com
www2.domain.com

je mets aussi le ftp et le proxy?
pour www2 je ne sais plus pourquoi j'ai cela

Anne
 

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: certificat de sécurité
« Reply #5 on: February 15, 2020, 05:04:12 PM »
As I said above, do it for hosts that you require.

Which ones are your choice..... start simple.....

I'd remove hosts you do not need or use.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ecureuil

  • *
  • 261
  • +0/-0
Re: certificat de sécurité
« Reply #6 on: February 15, 2020, 05:57:07 PM »
j'ai déjà fait des bêtises

J'ai fait db domains setprop au lieu de db hosts setprop

Comment enlever les 'domains' en trop?
Comment voir ce que j'ai mis avec 'domains' et 'hosts'?

Anne

Offline ecureuil

  • *
  • 261
  • +0/-0
Re: certificat de sécurité
« Reply #7 on: February 15, 2020, 06:52:33 PM »
suite

# db domains show
domain.com=domain
    Content=Primary
    Description=Primary domain
    Nameservers=localhost
    Removable=no
    SystemPrimaryDomain=yes
    letsencryptSSLcert=enabled

# db hosts show
ftp.domain.com=host
    ExternalIP=
    HostType=Self
    InternalIP=
    MACAddress=
mail.domain.com=host
    ExternalIP=
    HostType=Self
    InternalIP=
    MACAddress=
    letsencryptSSLcert=enabled
nuts.domain.com=host
    Comment=
    ExternalIP=
    HostType=Local
    InternalIP=10.97.1.80
    MACAddress=
pc-00105.domain.com=host
    Comment=
    ExternalIP=
    HostType=Local
    InternalIP=10.97.1.51
    MACAddress=
proxy.domain.com=host
    ExternalIP=
    HostType=Self
    InternalIP=
    MACAddress=
tux.domain.com=host
    ExternalIP=
    HostType=Self
    InternalIP=
    MACAddress=
    ReverseDNS=yes
    static=yes
wpad.domain.com=host
    ExternalIP=
    HostType=Self
    InternalIP=
    MACAddress=
www.domain.com=host
    ExternalIP=
    HostType=Self
    InternalIP=
    MACAddress=
    letsencryptSSLcert=enabled
www2.domain.com=host
    Comment=
    ExternalIP=
    HostType=Self
    InternalIP=
    MACAddress=
    letsencryptSSLcert=enabled


# config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    configure=all
    email=admin@domain.com
    hookScript=disabled
    status=test


# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
+ Generating account key...
+ Registering account key with ACME server...
  + ERROR: An error occurred while sending post-request to https://acme-staging.api.letsencrypt.org/acme/new-reg (Status 403)

Details:
HTTP/1.1 100 Continue

HTTP/1.1 403 Forbidden
Server: nginx
Date: Sat, 15 Feb 2020 17:40:00 GMT
Content-Type: application/problem+json
Content-Length: 280
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Replay-Nonce: 0001GgVRQ-Zk9fpOD1AWlxkrrYJQyoNo-eR-1tx402God_Y

{
  "type": "urn:acme:error:unauthorized",
  "detail": "Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.",
  "status": 403
}



Error registering account key. See message above for more information.

=>
J'ai oublié de faire

# config setprop letsencrypt API 2

# signal-event console-save

# config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=2
    configure=all
    email=admin@domain.com
    hookScript=disabled
    status=test

# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
+ Generating account key...
+ Registering account key with ACME server...
Fetching missing account information from CA...
 + Creating chain cache directory /etc/dehydrated/chains
Processing domain.com with alternative names: domain.com ftp.domain.com mail.domain.com nuts.domain.com pc-00105.domain.com proxy.domain.com tux.domain.com wpad.domain.com www.domain.com www2.domain.com
 + Creating new directory /etc/dehydrated/certs/domain.com ...
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 10 authorizations URLs from the CA
  + ERROR: An error occurred while sending get-request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/39074804 (Status 405)

Details:
HTTP/1.1 405 Method Not Allowed
Server: nginx
Date: Sat, 15 Feb 2020 18:00:20 GMT
Content-Type: application/problem+json
Content-Length: 103
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"

{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Method not allowed",
  "status": 405
}

encore erreur
 :(
Anne
« Last Edit: February 15, 2020, 07:13:01 PM by ecureuil »

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: certificat de sécurité
« Reply #8 on: February 16, 2020, 05:25:38 AM »
config delprop dehydrated configure
signal-event console-save


Tu ne veux pas configurer un cert pour tous tes hotes pc...

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: certificat de sécurité
« Reply #9 on: February 16, 2020, 05:28:32 AM »

Offline ecureuil

  • *
  • 261
  • +0/-0
Re: certificat de sécurité
« Reply #10 on: February 16, 2020, 08:16:12 AM »
Aussi mets à jour https://forums.contribs.org/index.php/topic,54121.30.html

J'ai regardé et je ne vois pas comment faire?

J'ai fait
config delprop dehydrated configure
signal-event console-save

#  config show modSSL
modSSL=service
    TCPPort=443
    access=public
    status=enabled

# config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=2
    configure=none
    email=admin@domain.com
    hookScript=disabled
    status=test

# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
Fetching missing account information from CA...
Processing domain.com with alternative names: mail.domain.com www.domain.com www2.domain.com
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 4 authorizations URLs from the CA
  + ERROR: An error occurred while sending get-request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/39074805 (Status 405)

Details:
HTTP/1.1 405 Method Not Allowed
Server: nginx
Date: Sun, 16 Feb 2020 07:53:36 GMT
Content-Type: application/problem+json
Content-Length: 103
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"

{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Method not allowed",
  "status": 405
}

Anne
« Last Edit: February 16, 2020, 09:42:10 AM by ecureuil »

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: certificat de sécurité
« Reply #11 on: February 16, 2020, 10:48:51 AM »
Use the dehydrated version 0.6.5-1  in smetest/smedev (I never remember which repo to use)
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ecureuil

  • *
  • 261
  • +0/-0
Re: certificat de sécurité
« Reply #12 on: February 16, 2020, 02:48:53 PM »
# rpm -qa | grep dehydrated
dehydrated-0.6.2-14.el6.sme.noarch

# rpm -qa | grep letsencrypt
smeserver-letsencrypt-0.5-9.noarch

Au début, j'avais cette erreur
# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
+ Generating account key...
+ Registering account key with ACME server...
  + ERROR: An error occurred while sending post-request to https://acme-staging.api.letsencrypt.org/acme/new-reg (Status 403)

 J'avais oublié de faire
# config setprop letsencrypt API 2

Je ne suis pas passée par la version 1

J'ai l'erreur 405

C'est apache qui a un souci?

Anne
« Last Edit: February 16, 2020, 03:16:20 PM by ecureuil »

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: certificat de sécurité
« Reply #13 on: February 16, 2020, 03:31:19 PM »
Each host or domain must be resolvable from the internet to something like this (the directory is created by the contrib)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
http://myhost.mydomain.com/.well-known/acme-challenge

Quote
Use the dehydrated version 0.6.5-1  in smetest/smedev (I never remember which repo to use)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: certificat de sécurité
« Reply #14 on: February 16, 2020, 04:05:46 PM »
Use the dehydrated version 0.6.5-1  in smetest/smedev

Also in epel.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation