Koozali.org: home of the SME Server

Renewing letsencrypt certificate

Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
Renewing letsencrypt certificate
« on: October 12, 2021, 09:11:03 AM »
Hi,

I need to renew my lets encrypt certificate but I can't figure out what I need to do for that... I tried reinstalling it but that didn't work. What code do I need to use to update my lets encrypt certificate?

Offline sages

  • *
  • 182
  • +0/-0
    • http://www.sages.com.au
Re: Renewing letsencrypt certificate
« Reply #1 on: October 12, 2021, 10:27:43 AM »
...

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Renewing letsencrypt certificate
« Reply #2 on: October 12, 2021, 10:33:11 AM »
RTFW

Damn I nearly spat my coffee out :lol:
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Renewing letsencrypt certificate
« Reply #3 on: October 12, 2021, 10:38:42 AM »
Hi,

I need to renew my lets encrypt certificate but I can't figure out what I need to do for that... I tried reinstalling it but that didn't work. What code do I need to use to update my lets encrypt certificate?

Also, for SME technical questions use the correct forums -

Koozali SME Server v10
https://forums.contribs.org/index.php/board,34.0.html

Koozali SME Server v10 Contribs
https://forums.contribs.org/index.php/board,36.0.html

if you are still on v9 then don't bother asking....... upgrade.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
Re: Renewing letsencrypt certificate
« Reply #4 on: October 12, 2021, 11:19:13 AM »
I RTFW I wouldn't have asked if what I tried worked

It didn't go I tried updating first I get this error

]# yum update smeserver-letsencrypt dehydrated --enablerepo=smecontribs
Loaded plugins: fastestmirror, post-transaction-actions, priorities, smeserver
Loading mirror speeds from cached hostfile
 * base: centos.mirrors.hoobly.com
 * smeaddons: ftp.nluug.nl
 * smecontribs: ftp.nluug.nl
 * smeextras: ftp.nluug.nl
 * smeos: ftp.nluug.nl
 * smeupdates: ftp.nluug.nl
 * updates: mirrors.xtom.com
4455 packages excluded due to repository priority protections
No packages marked for update

Then I tried Installing a new one which didn't work either.

I will use the correct forum in the future

FYI I am using SME 10

Thanks.

Offline sages

  • *
  • 182
  • +0/-0
    • http://www.sages.com.au
Re: Renewing letsencrypt certificate
« Reply #5 on: October 12, 2021, 11:59:36 AM »
So far you've asked how to update your letsencrypt certificate and stated that you don't know how. Then you stated that you tried to reinstall something, followed by a request for code.
Your later reply suggests that you have tried to update the letsencrypt contrib. Lastly you tried to 'install a new one'.
I'm guessing you are a little confused and frustrated.
Funnily enough, so are the people who may be able to help you.

What exactly have you done?
What logs have you looked at?
What messages have you seen when you tried whatever you have done?
if you are trying to update your letsencrypt certificate why have you tried to reinstall the contrib? has you problem changed from your original post? What is the actual problem you are trying to resolve?


We need some clues. Trying to second guess what you are doing and playing forty questions gets rather tiring very quickly.
I don't know what your profession is, and it doesn't matter, but try sticking ear muffs, blindfold and handcuff your hands behind you. Now imagine someone is requesting your professional assistance.
I've got a suspicion that you may feel rather confused and frustrated. QED


...

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Renewing letsencrypt certificate
« Reply #6 on: October 12, 2021, 01:06:55 PM »
moved topic to contribs 10

Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
Re: Renewing letsencrypt certificate
« Reply #7 on: October 14, 2021, 06:23:55 AM »
Okay I have tried to update my lets encrypt certificate via a terminal window this is the code I tried to use

Updating
Few reported issue when upgrading the contribs see Bugzilla:10286 and Bugzilla:10097
A full update can be done as follow :
yum update smeserver-letsencrypt dehydrated --enablerepo=smecontribs
It is important to do the usual
signal-event post-upgrade;  signal-event reboot
otherwise
signal-event console-save
failure to do this might leave the contribution not working and your certificates not renewed.

After doing that I was left with this Screenshot (attached) of an error of nothing marked to update and all packages are under protection......

And then I used all of the code in the wiki which I used to install Let encrypt back in July to "install a new one" but it didn't work either....

The logs say nothing except that i have been getting emails from lets encrypt saying my certificate is going to expire and I need to renew it.

No the problem has not changed I tried installing a new one because updating it didn't work.

Since the certificate is now expired Is there a way to "delete it" and just install a fresh new one?

Also is 3 months standard? Or Can I do a Year?

Okay I think I explained everything if I need to explain more just say.....

Thank you


Offline sages

  • *
  • 182
  • +0/-0
    • http://www.sages.com.au
Re: Renewing letsencrypt certificate
« Reply #8 on: October 14, 2021, 07:14:25 AM »
Quick glance.

Tip: if you use putty you can copy and paste using the mouse. Left click and drag the cursor over the text to copy. The highlighted text is copied into the clipboard. Right click to paste back into putty or ctrl-v into windows. Easier than a screen shot.

It also appears that smeserver-letencrypt is already installed and the latest versions, hence nothing to update.
That aside I think you are confusing updating the contrib with updating the actual certificate.

Now on my machine letsencrypt is configured as follows:
config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=2
    configure=none
    email=xxxxxx@xxxx.xx.xx
    hookScript=disabled
    status=enabled
and
cat /etc/dehydrated/config
#!/bin/bash
CA="https://acme-v02.api.letsencrypt.org/directory"
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
HOOK="/usr/bin/hook-script.sh"
BASEDIR="/etc/dehydrated"
CONTACT_EMAIL=xxxxx@xxxx.xx.xx
API="2"

PARAM_ACCEPT_TERMS="yes"

and
yum list installed | grep letsencrypt
smeserver-letsencrypt.noarch            0.5-17                    @smecontribs
yum list installed | grep dehydrated
dehydrated.noarch                       0.6.5-1.el7               @smeos

cat /home/e-smith/db/domains | grep letsencrypt
xxxxx.xxx.xx=domain|Content|xxxxx|Description|xxxx|Nameservers|internet|letsencryptSSLcert|enabled
xxxxx.xxx.xx=domain|Content|xxxxx|Description|xxxx|Nameservers|localhost|Removable|no|SystemPrimaryDomain|yes|letsencryptSSLcert|enabled
xxxxx.xxx.xx=domain|Content|xxxxx|Description|xxxx|Nameservers|internet|letsencryptSSLcert|enabled


So run the five highlighted commands above and show the response.

ps I believe the certificate validity duration is fixed. Changing it wouldn't resolve your underlying issue.



...

Offline sages

  • *
  • 182
  • +0/-0
    • http://www.sages.com.au
Re: Renewing letsencrypt certificate
« Reply #9 on: October 14, 2021, 07:18:47 AM »
And also
ls -a /home/e-smith/files/ibays/Primary/html | grep well-known
« Last Edit: October 14, 2021, 07:22:29 AM by sages »
...

Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
Re: Renewing letsencrypt certificate
« Reply #10 on: October 14, 2021, 07:30:29 AM »
Here what it said

config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=1
    configure=none
    email=admin@domain1.com
    hookScript=disabled
    keysize=NUMBER
    signal-event=console-save
    status=test
and

 cat /etc/dehydrated/config
#!/bin/bash
CA="https://acme-staging.api.letsencrypt.org/directory"
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
HOOK="/usr/bin/hook-script.sh"
BASEDIR="/etc/dehydrated"
KEYSIZE="4096"
CONTACT_EMAIL=admin@domain1.com
API="1"

PARAM_ACCEPT_TERMS="yes"

and

 yum list installed | grep letsencrypt
smeserver-letsencrypt.noarch             0.5-17                   @smecontribs

and

yum list installed | grep dehydrated
dehydrated.noarch                        0.6.5-1.el7              @smeos

and

cat /home/e-smith/db/domains | grep letsencrypt
xxxx.com=domain|Content|Primary|Description|Primary domain|Nameservers|localhost|Removable|no|SystemPrimaryDomain|yes|letsencryptSSLcert|enabled

and

ls /home/e-smith/files/ibays/Primary/html/.well-known
ls: cannot access /home/e-smith/files/ibays/Primary/html/.well-known: No such file or directory

The one above is the only one that showed up wrong which I don't like because that means my problem is more complex then I want it to be..........

Also yes its installed... I did that in July has worked great and I have enjoyed it..... But Just ran out now which I don't like now....

Is there different code for updating??? I must be missing something.........





Offline sages

  • *
  • 182
  • +0/-0
    • http://www.sages.com.au
Re: Renewing letsencrypt certificate
« Reply #11 on: October 14, 2021, 07:56:43 AM »
Two things leap out
1/
https://wiki.koozali.org/Letsencrypt#Introduction
Big red box. Your configuration is for API=1, which is not supported.
The wiki has instructions for resolving this.
2/ your system does not have the folder "/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"

Without reading all of your previous posts, I suspect that somewhere in the past whilst 'fixing things' you have inadvertently removed this folder. It's kind of fundamental to how the renewal process works.

As there is a lot of other working installations out there I am leaning towards this missing folder being a created issue rather than a bug with the contrib.

Please run
cat /etc/httpd/conf/httpd.conf | grep well-known
 
So I can see if the folder is the only thing missing.
Then I'll try and give you some things to try and see if that resolves your issues.
...

Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
Re: Renewing letsencrypt certificate
« Reply #12 on: October 14, 2021, 08:24:47 AM »
Okay here you go

 cat /etc/httpd/conf/httpd.conf | grep well-known
    Alias /.well-known/acme-challenge/ /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge/
    Alias /.well-known/acme-challenge/ /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge/

Yes I probably screwed something up.... Since the certificate is expired I need to get it up again.

Any help is appreciated thanks....

Offline sages

  • *
  • 182
  • +0/-0
    • http://www.sages.com.au
Re: Renewing letsencrypt certificate
« Reply #13 on: October 14, 2021, 08:43:24 AM »
ok try this:

mkdir -p /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
then
chown apache:shared /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
chmod 0775 /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge

then
follow the wiki
I'd suggest that you keep a record of what you type and the response. STOP at any error messages and reply back here with the commands and error messages. DO NOT CONTINUE IF AN ERROR IS REPORTED.

https://wiki.koozali.org/Letsencrypt#V2_API  scroll down to -> "For creating a new certificate or updating a V2 set to 2"
DO NOT ENABLE V1 API ONLY V2 API

Then follow the enable test mode and the test should now work. If not, stop and report back.
If the test works ok, then follow the wiki to enable production mode.

...

Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
Re: Renewing letsencrypt certificate
« Reply #14 on: October 14, 2021, 09:10:04 AM »
Alright I started trying to install it again that's what you meant by follow the wiki right??

I started with these commands

# config show modSSL

By default it would show:

modSSL=service
   TCPPort=443
   access=public
   status=enabled

If this shows any values for crt, key, or CertificateChainFile, make a note of them. If you encounter an issue with the certificate files generated by Letsencrypt, you'll then be able to revert your changes. To make a 'backup' of your existing key and properties you can issue:

config show modSSL > "/root/db_configuration_modSSL_backup_$(date +%Y%m%d_%H%M%S)"

Then I ran this one

John Crisp has prepared a contrib that installs the dehydrated script, creates the appropriate configuration files, and integrates with the SME templates system. This is the simplest way to install dehydrated on your SME Server.
Installation

yum install smeserver-letsencrypt --enablerepo=smecontribs

and got this

[root@www ~]# yum install smeserver-letsencrypt --enablerepo=smecontribs
Loaded plugins: fastestmirror, post-transaction-actions, priorities, smeserver
Loading mirror speeds from cached hostfile
 * base: mirror.fileplanet.com
 * smeaddons: ftp.nluug.nl
 * smecontribs: ftp.nluug.nl
 * smeextras: ftp.nluug.nl
 * smeos: ftp.nluug.nl
 * smeupdates: ftp.nluug.nl
 * updates: centos-distro.1gservers.com
4455 packages excluded due to repository priority protections
Package smeserver-letsencrypt-0.5-17.noarch already installed and latest version
Nothing to do

In case re installing was not what you meant I tried the update code

yum update smeserver-letsencrypt dehydrated --enablerepo=smecontribs

and I got this

[root@www ~]# yum update smeserver-letsencrypt dehydrated --enablerepo=smecontribs
Loaded plugins: fastestmirror, post-transaction-actions, priorities, smeserver
Loading mirror speeds from cached hostfile
 * base: mirror.fileplanet.com
 * smeaddons: ftp.nluug.nl
 * smecontribs: ftp.nluug.nl
 * smeextras: ftp.nluug.nl
 * smeos: ftp.nluug.nl
 * smeupdates: ftp.nluug.nl
 * updates: mirror.chpc.utah.edu
4455 packages excluded due to repository priority protections
No packages marked for update
[root@www ~]#

Not sure what I'm doing wrong.