Koozali.org: home of the SME Server

certificat de sécurité

Offline ecureuil

  • *
  • 261
  • +0/-0
Re: certificat de sécurité
« Reply #15 on: February 16, 2020, 04:48:01 PM »
le problème, je ne sais plus faire pour testing ou epel

y-a 10/12 ans que je n'ai pas fait. Tout perdu, ma tête est une passoire

Offline ecureuil

  • *
  • 261
  • +0/-0
Re: certificat de sécurité
« Reply #16 on: February 16, 2020, 05:27:49 PM »
trouvé

# yum update smeserver-letsencrypt dehydrated --enablerepo=smetest
...
Mise à jour:
 dehydrated                                                                             noarch                                                                  0.6.5-1.el6                                                                   smetest                                                                   85 k
 smeserver-letsencrypt                                                                  noarch                                                                  0.5-11                                                                        smetest                                                                   36 k

pour l'instant pas fait

Offline ecureuil

  • *
  • 261
  • +0/-0
Re: certificat de sécurité
« Reply #17 on: February 16, 2020, 05:45:13 PM »
# yum update  dehydrated --enablerepo=smetest

# config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=2
    configure=none
    email=admin@domain.com
    hookScript=disabled
    status=test
[root@tux letsencrypt]# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
+ Fetching account ID...
Processing domain.com with alternative names: mail.domain.com www.domain.com www2.domain.com
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 4 authorizations URLs from the CA
 + Handling authorization for domain.com
 + Handling authorization for mail.domain.com
 + Handling authorization for www.domain.com
 + Handling authorization for www2.domain.com
 + 4 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for domain.com authorization...
 + Challenge is valid!
 + Responding to challenge for mail.domain.com authorization...
 + Challenge is valid!
 + Responding to challenge for www.domain.com authorization...
 + Challenge is valid!
 + Responding to challenge for www2.domain.com authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!

Je pense que c'est ok

Offline ecureuil

  • *
  • 261
  • +0/-0
Re: certificat de sécurité
« Reply #18 on: February 16, 2020, 06:41:06 PM »
# config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=2
    configure=none
    email=admin@domain.com
    hookScript=disabled
    status=test

# cat /etc/dehydrated/config
#!/bin/bash
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
CA="https://acme-staging-v02.api.letsencrypt.org/directory"

PARAM_ACCEPT_TERMS="yes"

# config setprop letsencrypt status enabled
# signal-event console-save
# cat /etc/dehydrated/config
#!/bin/bash
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
CA="https://acme-v02.api.letsencrypt.org/directory"
BASEDIR="/etc/dehydrated"
CONTACT_EMAIL=admin@domain.com
HOOK="/usr/bin/hook-script.sh"
API="2"

PARAM_ACCEPT_TERMS="yes"

J'ai fait
# yum update  smeserver-letsencrypt --enablerepo=smetest

J'ai remis en test juste pour tester

#  config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=2
    configure=none
    email=admin@domain.com
    hookScript=disabled
    status=test

# cat /etc/dehydrated/config
#!/bin/bash
CA="https://acme-staging-v02.api.letsencrypt.org/directory"
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
HOOK="/usr/bin/hook-script.sh"
BASEDIR="/etc/dehydrated"
CONTACT_EMAIL=admin@domain.com
API="2"

PARAM_ACCEPT_TERMS="yes"

C'est ok

Je remets en enabled

# config setprop letsencrypt status enabled

#  config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=2
    configure=none
    email=admin@domain.com
    hookScript=disabled
    status=enabled

# cat /etc/dehydrated/config
#!/bin/bash
CA="https://acme-staging-v02.api.letsencrypt.org/directory"
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
HOOK="/usr/bin/hook-script.sh"
BASEDIR="/etc/dehydrated"
CONTACT_EMAIL=admin@domain.com
API="2"

PARAM_ACCEPT_TERMS="yes"

# dehydrated -c -x
# INFO: Using main config file /etc/dehydrated/config
Processing domain.com with alternative names: mail.domain.com www.domain.com www2.domain.com
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till May 16 15:38:14 2020 GMT (Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 4 authorizations URLs from the CA
 + Handling authorization for domain.com
 + Handling authorization for mail.domain.com
 + Handling authorization for www.domain.com
 + Handling authorization for www2.domain.com
 + 4 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for domain.com authorization...
 + Challenge is valid!
 + Responding to challenge for mail.domain.com authorization...
 + Challenge is valid!
 + Responding to challenge for www.domain.com authorization...
 + Challenge is valid!
 + Responding to challenge for www2.domain.com authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
Set up modSSL db keys
Signal events
All complete
 + Done!

Y-a plus qu'à passer de testing en contribs...

merci pour le travail
Anne
« Last Edit: February 16, 2020, 07:22:47 PM by ecureuil »

Offline ecureuil

  • *
  • 261
  • +0/-0
Re: certificat de sécurité
« Reply #19 on: February 16, 2020, 07:13:41 PM »
suite

Je suis retournée sur mon server-manager

Connexion bloquée : problème de sécurité potentiel
Firefox a détecté une menace potentielle de sécurité et a interrompu le chargement de www.domain.com, car ce site web nécessite une connexion sécurisée.
Que pouvez-vous faire ?
Le problème vient probablement du site web, donc vous ne pouvez pas y remédier.
Si vous naviguez sur un réseau d’entreprise ou si vous utilisez un antivirus, vous pouvez contacter les équipes d’assistance pour obtenir de l’aide. Vous pouvez également signaler le problème aux personnes qui administrent le site web.

Que se passe-t-il?

Anne

« Last Edit: February 16, 2020, 07:24:22 PM by ecureuil »

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: certificat de sécurité
« Reply #20 on: February 16, 2020, 07:32:52 PM »
Probably because of the server name/ip address.

www.myserver.com/server-manager probably resolves LOCALLY to 192.168.x.x but the cert is for an 'external' ip.

You cannot generate a certificate for a 'local/private' ip address because it doesn't resolve globally.

How does "www.mydomain.com" look when accessed from the internet in general?
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ecureuil

  • *
  • 261
  • +0/-0
Re: certificat de sécurité
« Reply #21 on: February 16, 2020, 07:53:14 PM »
coucou

3w point linux-nuts point com

cela donne quoi.

et pour

www2 point linux-nuts point com

Anne

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: certificat de sécurité
« Reply #22 on: February 16, 2020, 08:01:54 PM »
Quote
www dot linux-nuts dot com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER

Certificates have not been deployed correctly but no idea why.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: certificat de sécurité
« Reply #23 on: February 16, 2020, 08:30:08 PM »
y-a 10/12 ans que je n'ai pas fait. Tout perdu, ma tête est une passoire

Mate, excuse the english, you are not the only one :-)
--
qui scribit bis legit

Offline ecureuil

  • *
  • 261
  • +0/-0
Re: certificat de sécurité
« Reply #24 on: February 16, 2020, 08:54:54 PM »
# cat /etc/dehydrated/config
#!/bin/bash
CA="https://acme-v02.api.letsencrypt.org/directory"
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
HOOK="/usr/bin/hook-script.sh"
BASEDIR="/etc/dehydrated"
CONTACT_EMAIL=admin@domain.com
API="2"

PARAM_ACCEPT_TERMS="yes"

# config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=2
    configure=none
    email=admin@domain.com
    hookScript=disabled
    status=enabled

configure=none => il faut peut-être configurer?

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: certificat de sécurité
« Reply #25 on: February 16, 2020, 11:22:24 PM »
Code: [Select]
config show modSSL
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ecureuil

  • *
  • 261
  • +0/-0
Re: certificat de sécurité
« Reply #26 on: February 17, 2020, 12:02:17 AM »
# config show modSSL
modSSL=service
    CertificateChainFile=/etc/dehydrated/certs/linux-nuts.com/chain.pem
    TCPPort=443
    access=public
    crt=/etc/dehydrated/certs/linux-nuts.com/cert.pem
    key=/etc/dehydrated/certs/linux-nuts.com/privkey.pem
    status=enabled

Offline ecureuil

  • *
  • 261
  • +0/-0
Re: certificat de sécurité
« Reply #27 on: February 17, 2020, 12:24:45 PM »
Certificates have not been deployed correctly but no idea why.

J'aimerais bien un nouvel essai

Anne

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: certificat de sécurité
« Reply #28 on: February 17, 2020, 01:09:10 PM »
I don't think you followed the wiki correctly.

https://wiki.contribs.org/Letsencrypt#Enable_Test_Mode

config setprop letsencrypt status test
signal-event console-save

dehydrated -c

If that is OK then go to Production mode

https://wiki.contribs.org/Letsencrypt#Enable_Production_Mode

Once you've successfully tested your installation, set it to production mode using these commands:

config setprop letsencrypt status enabled
signal-event console-save

Then obtain a new certificate from the Let's Encrypt production server:

dehydrated -c -x

The -x flag here is needed to force dehydrated to obtain a new certificate, even though you have an existing certificate that's valid for more than 30 days.

==========

I do not believe you have run dehydrated -c -x properly.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ecureuil

  • *
  • 261
  • +0/-0
Re: certificat de sécurité
« Reply #29 on: February 17, 2020, 01:37:17 PM »
j'avais
# config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=2
    configure=none
    email=admin@domain.com
    hookScript=disabled
    status=enabled

Tous les exemples avaiient  configure=none

J'ai remplacé  configure=none par  configure=domains

Et j'ai l'impression que plus de soucis
« Last Edit: February 17, 2020, 01:42:31 PM by ecureuil »