Koozali.org formerly Contribs.org

certificat de sécurité

Offline TerryF

  • grumpy old man
  • *
  • 1,156
Re: security certificate
« Reply #45 on: March 07, 2020, 06:57:38 AM »
Veuillez excuser mon google français

Restez avec le wiki, tout est là -

Tout d’abord un petit para -
https://wiki.contribs.org/SME_Server:Documentation:User_Manual:Chapter1#Shell_Access

et où tout se réunit, lisez, relisez, et quand vous pensez que vous avez tout relu directement, faites votre propre triche avec des notes, documentez vos étapes lorsque vous faites les choses, permet une excellente vérification des défauts plus tard, tout cela aide -
https://wiki.contribs.org/SSH_Public-Private_Keys#Using_public_keys_for_SSH_authentication

Les références externes sont bonnes pour avoir une compréhension globale, mais le wiki est spécifique au serveur Koozali sme.

Je vous recommande de ne PAS le faire sur une boîte de prod d'abord sans avoir d'expérience, bien mieux pour configurer une machine virtuelle, prendre des instantanés et en casser le shite, le faire exploser, le jeter, c'est un excellent tableau noir :-)
« Last Edit: March 07, 2020, 06:59:21 AM by TerryF »
--
qui scribit bis legit

Re: certificat de sécurité
« Reply #46 on: March 07, 2020, 07:44:25 AM »
Merci pour l'info.
Cela m'aurait bien aidé, j'ai un petit  peu galéré

J'ai configuré ssh sans mot de passe entre mes 2 serveurs avec root.

J'ai configuré avec
Obtenir des certificats pour un serveur KOOZALI SME privé
Obtaining certificates for a private SME Server

Pour l'instant, quand je suis avec firefox sur le serveur privé c'est en orange alors qu'avec sme serveur et passerelle c'est vert.
Donc je pense que ce que j'ai fait ne fonctionne pas.
Pour ssh sans mot de passe pas de souci. Testé, cela fonctionne.

Comment voir où se trouve le problème ?

# config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=2
    configure=all
    email=admin@domain.com
    hookScript=enabled
    host=toto.domain.com
    path=/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
    status=enabled
    user=root

# config show modSSL
modSSL=service
    CertificateChainFile=/etc/dehydrated/certs/domain.com/chain.pem
    TCPPort=443
    access=public
    crt=/etc/dehydrated/certs/domain.com/cert.pem
    key=/etc/dehydrated/certs/domain.com/privkey.pem
    status=enabled

Pourquoi c'est toujours ambré avec firefox pour le serveur interne?
Où chercher?

Anne
« Last Edit: March 07, 2020, 07:26:18 PM by ecureuil »

Re: certificat de sécurité
« Reply #47 on: March 07, 2020, 08:30:30 PM »
suite

Je suis de nouveau en test

Quote

# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
Processing domain.com with alternative names: domain.com ftp.domain.com mail.domain.com nuts.domain.com pc-00105.domain.com proxy.domain.com tux.domain.com wpad.domain.com www.domain.com www2.domain.com
 + Checking domain name(s) of existing cert... changed!
 + Domain name(s) are not matching!
 + Names in old certificate: domain.com mail.domain.com www2.domain.com www.domain.com
 + Configured names: ftp.domain.com domain.com mail.domain.com nuts.domain.com pc-00105.domain.com proxy.domain.com tux.domain.com wpad.domain.com www2.domain.com www.domain.com
 + Forcing renew.
 + Checking expire date of existing cert...
 + Valid till Jun  5 18:04:16 2020 GMT (Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 10 authorizations URLs from the CA
 + Handling authorization for domain.com
 + Found valid authorization for domain.com
 + Handling authorization for mail.domain.com
 + Found valid authorization for mail.domain.com
 + Handling authorization for www.domain.com
 + Found valid authorization for www.domain.com
 + Handling authorization for www2.domain.com
 + Found valid authorization for www2.domain.com
 + Handling authorization for ftp.domain.com
 + Handling authorization for nuts.domain.com
 + Handling authorization for pc-00105.domain.com
 + Handling authorization for proxy.domain.com
 + Handling authorization for tux.domain.com
 + Handling authorization for wpad.domain.com
 + 6 pending challenge(s)
 + Deploying challenge tokens...
scp: /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge/g18Dd0YGY4bvUegdk3v5c8IVz505v4nmwWUqY0kCWTQ: No such file or directory
 Failed to deploy challenge !

Quote
# config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=2
    configure=all
    email=admin@domain.com
    hookScript=enabled
    host=10.97.1.80
    path=/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
    status=test
    user=root

Dans host, il faut mettre quoi?
l'adresse du serveur privé?
j'ai essayé toto.domain.com, adresse ip

J'ai aussi essayé de mettre 10.97.1.1, la passerelle de 10.97.1.80 marche pas non plus 

Anne
« Last Edit: March 07, 2020, 09:47:31 PM by ecureuil »

Offline ReetP

  • *
  • 2,359
Re: certificat de sécurité
« Reply #48 on: March 08, 2020, 01:33:43 AM »
I have had a look at the code (which you should REALLY do yourself). It is so long ago I have forgotten what was in there, and not even sure if I wrote this section.

I *think* there may be a bug in the section:

Quote
Obtaining certificates for a private SME Server

The wiki says:

"However, if your SME Server is not accessible from the Internet, the smeserver-letsencrypt contrib provides a method that can be used to validate domain control."

But it also says:

"The hostname of your internal SME Server (example: internal.mydomain.tld) resolves, on the public Internet, to a valid IP address"

When I look at the hook script template here:

/etc/e-smith/templates/usr/bin/hook-script.sh/20challenges

It is clear that this code expects that the internal server can be reached from the internet.

Code: [Select]
        $OUT .= "  HOST=\"$host\" # FQDN or IP of public-facing server\n";

I *think* this was written for where the server/gateway machine did not host any public web services and forwarded them to an internal server but I need to have a look.

=============================

Anyway. You can try this. I have NOT tested it so YMMV. Please check carefully and test properly.

Disable the hookscript key.

hookScript disabled

In the following change domain.com to yourdomain.com

Make a dir on your private server:

Code: [Select]
mkdir /etc/dehydrated/certs/domain.com
Create a template like this (this may not be exact - you will need to test and amend:)

Code: [Select]
nano /etc/e-smith/templates-custom/usr/bin/hook-script.sh/21challenges
Change internal-server.domain.com to your INTERNAL host name.

Code: [Select]
{
    use strict;
    use warnings;
    use esmith::ConfigDB;

    my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");

    my $letsencryptStatus = $configDB->get_prop( 'letsencrypt', 'status' )     || 'disabled';

    if ( $letsencryptStatus ne 'disabled' ) {

    $OUT .=<<'_EOF';
if [ $1 = "deploy_cert" ] && [ $2 = "internal-server.domain.com" ]; then
  KEY=$3
  CERT=$4
  CHAIN=$6
  scp $CERT root@hostname:/etc/dehydrated/certs/domain.com/cert.pem
  scp $KEY root@hostname:/etc/dehydrated/certs/domain.com/privkey.pem
  scp $CHAIN root@hostname:/etc/dehydrated/certs/domain.com/chain.pem
  ssh root@internal-server.domain.com "/sbin/e-smith/db configuration setprop modSSL crt /etc/dehydrated/certs/domain.com/cert.pem"
  ssh root@internal-server.domain.com "/sbin/e-smith/db configuration setprop modSSL key /etc/dehydrated/certs/domain.com/privkey.pem"
  ssh root@internal-server.domain.com "/sbin/e-smith/db configuration setprop modSSL CertificateChainFile /etc/dehydrated/certs/domain.com/chain.pem"
  ssh root@internal-server.domain.com "/sbin/e-smith/signal-event ssl-update"
  echo "$2 certificate renewed" | mail -s "Certificate renewal" admin@domain.com
  exit 0
fi
_EOF

    }
}

Regenerate the configs

Code: [Select]
signal-event console-save
Check /var/log/messages for errors.

Check the hook-script.sh - you should see the extra deploy code.

Code: [Select]
cat /usr/bin/hook-script.sh
Check with a browser.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: certificat de sécurité
« Reply #49 on: March 08, 2020, 01:58:25 PM »
Je regarde tout cela ce soir.

Pas eu le temps de regarder mais cela va venir...

Je viens de me rendre compte que toutes mes ibays sont en vert avec firefox sauf l'ibay de primary qui est toujours ambré.
(sur mon serveur sme principal : serveur et passerelle)
Bizarre

Primary
# ls -al
total 32
drwxr-xr-x  6 root  root    4096 13 mars   2015 .
drwxr-xr-x 26 root  root    4096  6 janv. 23:07 ..
drwxr-s---  2 admin shared  4096 13 mars   2015 .AppleDesktop
drwxr-s---  2 admin shared  4096  1 mars   2015 cgi-bin
drwxr-s--- 35 admin shared 12288 22 févr. 12:29 files

Normal ou pas?

Je sais pourquoi Primary est en ambré.

Il y a du flash et c'est déclaré non sécurisé.
Je viens de renommer index.html.
J'ai mis la mini page qui arrive quand on crée une ibay que j'ai nommé index.html

Quote
!--DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"-->
<HTML>
<HEAD><TITLE>Under construction</TITLE></HEAD>
<BODY BGCOLOR="#FFFFFF"><H1>This web site is under construction</H1></BODY>
</HTML>

et maintenant Primary est en vert.

Ce problème est résolu.

Anne
« Last Edit: March 11, 2020, 03:21:39 PM by ecureuil »

Re: certificat de sécurité
« Reply #50 on: March 12, 2020, 12:35:13 AM »
bonjour,

Je me demande si la solution ne serait pas d'installer aussi letsencrypt sur mon serveur privé?

Peut-on avoir vraiment avoir  letsencrypt  sur le serveur principal (serveur et passerelle) et aussi avec le serveur privé qui se trouve dans le réseau local avec le même certificat?

Anne


Offline ReetP

  • *
  • 2,359
Re: certificat de sécurité
« Reply #51 on: March 12, 2020, 02:28:57 AM »
Ahain, if you read and understood what you are trying to do you would understand that you can install it there if you desperately want to, but it will be of absolutely no use because the letsencrypt servers cannot reach it to resolve and confirm the host because it is private.

So your only option is to obtain the certificate for the private server by lying to letsencrypt, making a certificate on the public server, and copying it to the private server.

That's it. First make sure your publuc server gets its certs properly.

Then copy them over and set modSSL, and then automate it with the script. Simple.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: certificat de sécurité
« Reply #52 on: March 12, 2020, 01:21:32 PM »
Code: [Select]
mkdir /etc/dehydrated/certs/domain.com

domain.com ?

J'ai domain.com sur mon serveur principal et nuts.domain.com sur mon serveur inerne

J'ai créé le script sur le serveur principal : /etc/e-smith/templates-custom/usr/bin/hook-script.sh/21challenges

Regenerate the configs
??? c'est à dire

Je ne sais plus faire :(

trouvé expend-template /usr/bin/hook-script.sh

Bon j'ai essayé mais erreur

Code: [Select]
dehydrated -c --force
# INFO: Using main config file /etc/dehydrated/config
Processing domain.com with alternative names: domain.com ftp.domain.com mail.domain.com nuts.domain.com pc-00105.domain.com proxy.domain.com tux.domain.com wpad.domain.com www.domain.com www2.domain.com
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Jun 10 21:23:51 2020 GMT (Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 10 authorizations URLs from the CA
 + Handling authorization for ftp.domain.com
 + Handling authorization for domain.com
 + Handling authorization for mail.domain.com
 + Handling authorization for nuts.domain.com
 + Handling authorization for pc-00105.domain.com
 + Handling authorization for proxy.domain.com
 + Handling authorization for tux.domain.com
 + Handling authorization for wpad.domain.com
 + Handling authorization for www.domain.com
 + Handling authorization for www2.domain.com
 + 10 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for ftp.domain.com authorization...
 + Challenge is valid!
 + Responding to challenge for domain.com authorization...
 + Challenge is valid!
 + Responding to challenge for mail.domain.com authorization...
 + Challenge is valid!
 + Responding to challenge for nuts.domain.com authorization...
 + Challenge is valid!
 + Responding to challenge for pc-00105.domain.com authorization...
 + Challenge is valid!
 + Responding to challenge for proxy.domain.com authorization...
 + Challenge is valid!
 + Responding to challenge for tux.domain.com authorization...
 + Challenge is valid!
 + Responding to challenge for wpad.domain.com authorization...
 + Challenge is valid!
 + Responding to challenge for www.domain.com authorization...
 + Challenge is valid!
 + Responding to challenge for www2.domain.com authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
Set up modSSL db keys
Signal events
All complete
ssh: Could not resolve hostname hostname: Name or service not known
lost connection
ssh: Could not resolve hostname hostname: Name or service not known
lost connection
ssh: Could not resolve hostname hostname: Name or service not known
lost connection

Il n'y a rien dans # ls -al /etc/dehydrated/certs/domain.com/

Code: [Select]
{
    use strict;
    use warnings;
    use esmith::ConfigDB;

    my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");

    my $letsencryptStatus = $configDB->get_prop( 'letsencrypt', 'status' )     || 'disabled';

    if ( $letsencryptStatus ne 'disabled' ) {

    $OUT .=<<'_EOF';
if [ $1 = "deploy_cert" ] && [ $2 = "internal-server.domain.com" ]; then
  KEY=$3
  CERT=$4
  CHAIN=$6
  scp $CERT root@hostname:/etc/dehydrated/certs/domain.com/cert.pem
  scp $KEY root@hostname:/etc/dehydrated/certs/domain.com/privkey.pem
  scp $CHAIN root@hostname:/etc/dehydrated/certs/domain.com/chain.pem
  ssh root@internal-server.domain.com "/sbin/e-smith/db configuration setprop modSSL crt /etc/dehydrated/certs/domain.com/cert.pem"
  ssh root@internal-server.domain.com "/sbin/e-smith/db configuration setprop modSSL key /etc/dehydrated/certs/domain.com/privkey.pem"
  ssh root@internal-server.domain.com "/sbin/e-smith/db configuration setprop modSSL CertificateChainFile /etc/dehydrated/certs/domain.com/chain.pem"
  ssh root@internal-server.domain.com "/sbin/e-smith/signal-event ssl-update"
  echo "$2 certificate renewed" | mail -s "Certificate renewal" admin@domain.com
  exit 0
fi
_EOF

    }
}


après le expend-template /usr/bin/hook-script.sh

Code: [Select]

!/bin/bash
# deploy_cert hook will set config database entries for the cert files
# and restart appropriate services
#

    if [ $1 = "deploy_cert" ]; then
      KEY=$3
      CERT=$4
      CHAIN=$6
      echo "Set up modSSL db keys"
      /sbin/e-smith/db configuration setprop modSSL key $KEY
      /sbin/e-smith/db configuration setprop modSSL crt $CERT
      /sbin/e-smith/db configuration setprop modSSL CertificateChainFile $CHAIN
      echo "Signal events"
      /sbin/e-smith/signal-event ssl-update
      echo "All complete"
    fi

# The following all have to be set to enable deploy/clean challenges
#
# hookScript: disabled
# host: 10.97.1.1
# user: root
# path: /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge

if [ $1 = "deploy_cert" ] && [ $2 = "domain.com" ]; then
  KEY=$3
  CERT=$4
  CHAIN=$6
  scp $CERT root@hostname:/etc/dehydrated/certs/domain.com/cert.pem
  scp $KEY root@hostname:/etc/dehydrated/certs/domain.com/privkey.pem
  scp $CHAIN root@hostname:/etc/dehydrated/certs/domain.com/chain.pem
  ssh root@nuts.domain.com "/sbin/e-smith/db configuration setprop modSSL crt /etc/dehydrated/certs/domain.com/cert.pem"
  ssh root@nuts.domain.com "/sbin/e-smith/db configuration setprop modSSL key /etc/dehydrated/certs/domain.com/privkey.pem"
  ssh root@nuts.domain.com "/sbin/e-smith/db configuration setprop modSSL CertificateChainFile /etc/dehydrated/certs/domain.com/chain.pem"
  ssh root@nuts.domain.com "/sbin/e-smith/signal-event ssl-update"
  echo "$2 certificate renewed" | mail -s "Certificate renewal" admin@domain.com
  exit 0
fi

les commandes suivantes ont bien fonctionnés :
 ssh root@nuts.domain.com "/sbin/e-smith/db configuration setprop modSSL crt /etc/dehydrated/certs/domain.com/cert.pem"
  ssh root@nuts.domain.com "/sbin/e-smith/db configuration setprop modSSL key /etc/dehydrated/certs/domain.com/privkey.pem"
  ssh root@nuts.domain.com "/sbin/e-smith/db configuration setprop modSSL CertificateChainFile /etc/dehydrated/certs/domain.com/chain.pem"
  ssh root@nuts.domain.com "/sbin/e-smith/signal-event ssl-update"

Dans nuts :
Code: [Select]
# config show modSSL
modSSL=service
    CertificateChainFile=/etc/dehydrated/certs/domain.com/chain.pem
    TCPPort=443
    access=public
    crt=/etc/dehydrated/certs/domain.com/cert.pem
    key=/etc/dehydrated/certs/domain.com/privkey.pem
    status=enabled

Par contre, plein d'erreur à cause des commandes suivantes qui n'ont pas fonctionnées

Par contre les commandes suivantes rien du tout :
Code: [Select]
  KEY=$3
  CERT=$4
  CHAIN=$6
  scp $CERT root@hostname:/etc/dehydrated/certs/domain.com/cert.pem
  scp $KEY root@hostname:/etc/dehydrated/certs/domain.com/privkey.pem
  scp $CHAIN root@hostname:/etc/dehydrated/certs/domain.com/chain.pem

Il manque la destination
et les fichiers cert.pem,  privkey.pem et chain.pem sont des liens

Anne
« Last Edit: March 13, 2020, 02:36:12 AM by ecureuil »

Re: certificat de sécurité
« Reply #53 on: March 13, 2020, 04:03:58 AM »
Opération réussie

Sur le serveur privé, il faut créer un répertoire pour récupérer les certificats.

Code: [Select]
mkdir -p /etc/dehydrated/certs/domain.com

sur le serveur qui fait serveur et passerelle :
créer un template custom
Code: [Select]
mkdir -p /etc/e-smith/templates-custom/usr/bin/hook-script.sh/

nano /etc/e-smith/templates-custom/usr/bin/hook-script.sh/21challenges
Code: [Select]
{
    use strict;
    use warnings;
    use esmith::ConfigDB;

    my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");

    my $letsencryptStatus = $configDB->get_prop( 'letsencrypt', 'status' )     || 'disabled';

    if ( $letsencryptStatus ne 'disabled' ) {

    $OUT .=<<'_EOF';
if [ $1 = "deploy_cert" ] && [ $2 = "domain.com" ]; then
  KEY=$3
  CERT=$4
  CHAIN=$6
  scp $CERT root@domain.com:/etc/dehydrated/certs/domain.com/cert.pem root@nuts.domain.com:/etc/dehydrated/certs/domain.com/
  scp $KEY root@domain.com:/etc/dehydrated/certs/domain.com/privkey.pem root@nuts.domain.com:/etc/dehydrated/certs/domain.com/
  scp $CHAIN root@domain.com:/etc/dehydrated/certs/domain.com/chain.pem root@nuts.domain.com:/etc/dehydrated/certs/domain.com/
  ssh root@nuts.domain.com "/sbin/e-smith/db configuration setprop modSSL crt /etc/dehydrated/certs/domain.com/cert.pem"
  ssh root@nuts.domain.com "/sbin/e-smith/db configuration setprop modSSL key /etc/dehydrated/certs/domain.com/privkey.pem"
  ssh root@nuts.domain.com "/sbin/e-smith/db configuration setprop modSSL CertificateChainFile /etc/dehydrated/certs/domain.com/chain.pem"
  ssh root@nuts.domain.com "/sbin/e-smith/signal-event ssl-update"
  echo "$2 certificate renewed" | mail -s "Certificate renewal" admin@domain.com
  exit 0
fi
_EOF

    }
}

puis faire le expand-template

Code: [Select]
# expand-template /usr/bin/hook-script.sh

# nano /usr/bin/hook-script.sh
Code: [Select]
#!/bin/bash
# deploy_cert hook will set config database entries for the cert files
# and restart appropriate services
#

    if [ $1 = "deploy_cert" ]; then
      KEY=$3
      CERT=$4
      CHAIN=$6
      echo "Set up modSSL db keys"
      /sbin/e-smith/db configuration setprop modSSL key $KEY
      /sbin/e-smith/db configuration setprop modSSL crt $CERT
      /sbin/e-smith/db configuration setprop modSSL CertificateChainFile $CHAIN
      echo "Signal events"
      /sbin/e-smith/signal-event ssl-update
      echo "All complete"
    fi

# The following all have to be set to enable deploy/clean challenges
#
# hookScript: disabled
# host: 10.97.1.1
# user: root
# path: /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge

if [ $1 = "deploy_cert" ] && [ $2 = "domain.com" ]; then
  KEY=$3
  CERT=$4
  CHAIN=$6
  scp $CERT root@domain.com:/etc/dehydrated/certs/domain.com/cert.pem root@nuts.domain.com:/etc/dehydrated/certs/domain.com/
  scp $KEY root@domain.com:/etc/dehydrated/certs/domain.com/privkey.pem root@nuts.domain.com:/etc/dehydrated/certs/domain.com/
  scp $CHAIN root@domain.com:/etc/dehydrated/certs/domain.com/chain.pem root@nuts.domain.com:/etc/dehydrated/certs/domain.com/
  ssh root@nuts.domain.com "/sbin/e-smith/db configuration setprop modSSL crt /etc/dehydrated/certs/domain.com/cert.pem"
  ssh root@nuts.domain.com "/sbin/e-smith/db configuration setprop modSSL key /etc/dehydrated/certs/domain.com/privkey.pem"
  ssh root@nuts.domain.com "/sbin/e-smith/db configuration setprop modSSL CertificateChainFile /etc/dehydrated/certs/domain.com/chain.pem"
  ssh root@nuts.domain.com "/sbin/e-smith/signal-event ssl-update"
  echo "$2 certificate renewed" | mail -s "Certificate renewal" admin@domain.com
  exit 0
fi

puis regénérer les configs

Code: [Select]
signal-event console-save

Si j'ai oublié quelque chose, je compléterais.

J'ai des questions au sujet du bash /usr/bin/hook-script.sh :
Quelle est la commande à faire pour prendre en compte les mofifications?
dehydrated -c ?

J'ai eu un petit souci avec

Code: [Select]
# dehydrated -c --force
# INFO: Using main config file /etc/dehydrated/config
Processing domain.com with alternative names: domain.com ftp.domain.com mail.domain.com nuts.domain.com pc-00105.domain.com proxy.domain.com tux.domain.com wpad.domain.com www.domain.com www2.domain.com
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Jun 11 00:20:52 2020 GMT (Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
  + ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/new-order (Status 429)

Details:
HTTP/1.1 100 Continue

HTTP/1.1 429 Too Many Requests
Server: nginx
Date: Fri, 13 Mar 2020 01:28:43 GMT
Content-Type: application/problem+json
Content-Length: 421
Connection: keep-alive
Boulder-Requester: 78372275
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002xwxjHl-tBHfWqhq9r4Xqa0F-SBVuNxYk4rVyXB1exh8

{
  "type": "urn:ietf:params:acme:error:rateLimited",
  "detail": "Error creating new order :: too many certificates already issued for exact set of domains: ftp.domain.com,domain.com,mail.domain.com,nuts.domain.com,pc-00105.domain.com,proxy.domain.com,tux.domain.com,wpad.domain.com,www.domain.com,www2.domain.com: see https://letsencrypt.org/docs/rate-limits/",
  "status": 429
}

Cela fonctionne quand même.

Anne
« Last Edit: March 13, 2020, 01:22:27 PM by ecureuil »

Offline ReetP

  • *
  • 2,359
Re: certificat de sécurité
« Reply #54 on: March 13, 2020, 09:41:34 AM »
"detail": "Error creating new order :: too many certificates already issued for exact set of domains: ftp.domain.com,domain.com,mail.domain.com,nuts.domain.com,pc-00105.domain.com,proxy.domain.com,tux.domain.com,wpad.domain.com,www.domain.com,www2.domain.com: see https://letsencrypt.org/docs/rate-limits/",
"status": 429


1. Too many requests
2. Why pc-00105 ? Does that really resolve on the internet?

Dehydrated commands

Read the manual:

https://github.com/dehydrated-io/dehydrated/blob/master/README.md

You should be test mode until the certificated work correctly.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: certificat de sécurité
« Reply #55 on: March 13, 2020, 02:22:38 PM »
Merci à ReetP pour toutes les pistes qu'il m'a données.

Même si des choses sont obsolètes, pour trouver des informations en français, je me suis beaucoup basée sur
https://dokuwiki.micronator-dev.org/doku.php
C'est très détaillé avec les commandes complètes (très utile quand on a oublié beaucoup de choses)

Comme je me base encore sur
http://smeserver.fr/index.php

Pour voir pour SSL
https://www.ssllabs.com/ssltest/index.html
Quote
Ce service en ligne gratuit effectue une analyse approfondie de la configuration de tout serveur Web SSL sur Internet public. Veuillez noter que les informations que vous soumettez ici sont utilisées uniquement pour vous fournir le service. Nous n'utilisons pas les noms de domaine ou les résultats des tests, et nous ne le ferons jamais.

Pour les tests de cette nuit, j'ai surtout fait trop d'essais, même en mode test.

Code: [Select]
# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
Processing domain.com with alternative names: domain.com ftp.domain.com mail.domain.com nuts.domain.com pc-00105.domain.com proxy.domain.com tux.domain.com wpad.domain.com www.domain.com www2.domain.com
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Jun  8 15:22:05 2020 GMT (Longer than 30 days). Skipping renew!

Donc je ne voyais pas ce qui se passait...

Donc, j'ai fini par faire plusieurs fois :
dehydrated -c --force
Donc renouveller les certificats
A pas bien aimé le nombre de fois que j'ai demandé

Il fallait faire vite... et pas grand monde pour m'aider cette nuit...

L'écran de mon serveur privé se remplissait de message comme quoi il ne trouvait rien dans /etc/dehydrated/certs/domain.com
Tout cela parce que la commande scp n'était pas bonne dans le template-custom.
Je ne connaissais rien en ssh. Je n'avais jamais utilisé...
A force de farfouiller, j'ai fini par trouver le problème et à réparer le script.

tout cela parce que modssl voulait absolument trouver les certificats qui n'avaient pas été transféré.
Code: [Select]
# config show modSSL
modSSL=service
    CertificateChainFile=/etc/dehydrated/certs/domain.com/chain.pem
    TCPPort=443
    access=public
    crt=/etc/dehydrated/certs/domain.com/cert.pem
    key=/etc/dehydrated/certs/domain.com/privkey.pem
    status=enabled

J'étais dans une galère la plus complète...Je n'arrivais pas à enlever les 3 lignes du service modssl
- CertificateChainFile=/etc/dehydrated/certs/domain.com/chain.pem
- crt=/etc/dehydrated/certs/domain.com/cert.pem
-  key=/etc/dehydrated/certs/domain.com/privkey.pem

Si quelqu'un peut me dire comment on fait. pour modifier un service..

Trouvé, enfin je pense... mais je ne fais plus d'essai intempestif  :lol:
J'en ai trop fait cette nuit!
Code: [Select]
To restore the original certificates:

config delprop modSSL CertificateChainFile
config delprop modSSL crt
config delprop modSSL key

signal-event console-save


pour tester /usr/bin/hook-script.sh comment faire sans lancer dehydrated?

Anne
« Last Edit: March 14, 2020, 04:06:50 PM by ecureuil »

Offline ReetP

  • *
  • 2,359
Re: certificat de sécurité
« Reply #56 on: March 23, 2020, 06:37:55 PM »
For modSSL use

Code: [Select]
/sbin/e-smith/signal-event ssl-update

Quote
pour tester /usr/bin/hook-script.sh comment faire sans lancer dehydrated?

Copy the basic commands to a bash script and run the bash script....
eg make a file test.sh copy the code to it, make it executable and run it

Code: [Select]
#!/bin/sh

#KEY=$3
#CERT=$4
#CHAIN=$6

KEY=/etc/dehydrated/certs/mydomain.com/key.pem
CERT=/etc/dehydrated/certs/mydomain.com/cert.pem
CHAIN=/etc/dehydrated/certs/mydomain.com/fullchain.pem

scp -P 2224 $CERT root@1.2.3.4://etc/gitlab/trusted-certs/cert.pem
scp -P 2224 $KEY root@1.2.3.4://etc/gitlab/trusted-certs/privkey.pem
scp -P 2224 $CHAIN root@1.2.3.4:/etc/gitlab/trusted-certs/chain.pem
ssh -p 2224 root@1.2.3.4 "/etc/init.d/apache2 restart"
ssh -p 2224 root@1.2.3.4 "/usr/bin/gitlab-ctl reconfigure"
ssh -p 2224 root@1.2.3.4 "/usr/bin/gitlab-ctl restart"

Or it could be something like:

Code: [Select]
ssh -p 2224 root@1.2.3.4 "/sbin/e-smith/db configuration setprop modSSL key $KEY"
ssh -p 2224 root@1.2.3.4  "/sbin/e-smith/signal-event ssl-update"

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation