Author Topic: How to LetsEncrypt for fun and profit  (Read 3164 times)

efarayenkay

  • Zen Apprentice
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
How to LetsEncrypt for fun and profit
« on: September 14, 2018, 08:09:41 am »
UPDATE 2018-11-12 - remove requirement to restart Apache - doesn't work in that form and isn't needed anyway

Hi there

Not sure if there's a post about this already, but I've come up with a method to automate the creation and installation of Let's Encrypt certificates which I would like to share with you.

Step 1: Install the letsencrypt package, and its prerequisities:

Code: [Select]
admin@zentyla:~$ sudo apt-get install letsencrypt
Step 2: Find where the certificates currently live:

Code: [Select]
admin@zentyla:~$ grep "^\s*SSLCertificate" /etc/apache2/sites-enabled/default-ssl.conf
Step 3: Assuming the default location, create the script:

Code: [Select]
admin@zentyla:~$ cat > update_certs.sh <<EOF
#!/bin/sh

LIVECERT=/etc/letsencrypt/live/first.domain.com/fullchain.pem
SSLCERT=/etc/ssl/certs/ssl-cert-snakeoil.pem
LIVEKEY=/etc/letsencrypt/live/first.domain.com/privkey.pem
SSLKEY=/etc/ssl/private/ssl-cert-snakeoil.key

letsencrypt certonly --webroot -w /var/www/html/ -d first.domain.com -d second.domain.com -d third.domain.com  --keep
if [ $LIVECERT -nt $SSLCERT ]
then
        cp $LIVECERT $SSLCERT
        cp $LIVEKEY $SSLKEY
        # This is both unnecessary and doesn't work anyway
        #service apache2 restart
fi

EOF
admin@zentyla:~$ chmod +x update_certs.sh

Step 3: Open root's crontab - if this is your first time it will ask you for a choice of editor.  Nano is the simplest.

Code: [Select]
admin@zentyla:~$ sudo crontab -e
Step 4: Add the following line to the open editor - replace admin with your admin username - this will set it to run on the 12th of each month at midnight (change the 12 to any number between 1 and 28 to change the day it runs - don't choose 29 to 31 since they don't always occur):

Code: [Select]
0 0 12 * * /home/admin/update_certs.sh
Step 5: Ensure port 80 on your Zentyal server can be reached from the outside (I'll leave that as an exercise for the reader) and run the script manually:

Code: [Select]
admin@zentyla:~$ sudo ./update_certs.sh
And, so long as you got a successful outcome of the letsencrypt program, you should be set.
« Last Edit: November 12, 2018, 12:08:37 am by efarayenkay »

Neustradamus

  • Zen Monk
  • **
  • Posts: 63
  • Karma: +0/-3
    • View Profile
Re: How to LetsEncrypt for fun and profit
« Reply #1 on: November 07, 2018, 11:10:07 pm »
I have created a ticket for Let's Encrypt support:
-> https://github.com/zentyal/zentyal/issues/1836

efarayenkay

  • Zen Apprentice
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: How to LetsEncrypt for fun and profit
« Reply #2 on: November 12, 2018, 12:10:54 am »
I have created a ticket for Let's Encrypt support:
-> https://github.com/zentyal/zentyal/issues/1836

If I could work out how to do that, I would write a module for this.  Annoyingly, the development documentation is extremely fragmented and out of date.


demol

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: How to LetsEncrypt for fun and profit
« Reply #4 on: February 14, 2019, 08:48:03 pm »
Hello all,

I understand the changes that have to be made when it is a single domain, but when I have several domains it does not work for me. Can you please explain me?

Thank you!

Best regards,
Demol

davidjm

  • Zen Apprentice
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: How to LetsEncrypt for fun and profit
« Reply #5 on: May 17, 2019, 04:18:21 pm »
Ran straight into an issue with this as in my install (4.2.12), when i run sudo apt-get install letsencrypt i get E: Unable to locate package letsencrypt

I have tried enabling universe sudo add-apt-repository "deb http://archive.ubuntu.com/ubuntu $(lsb_release -sc) universe" or sudo add-apt-repository universe and both return sudo: add-apt-repository: command not found

My install reports being completely up to date.

Assuming i can get past this i tried opening /etc/apache2/sites-enabled/default-ssl.conf i do have a default.conf but nothing about SSL

I do however have an SSL directory in etc /etc/ssl$ ls
certs  openssl.cnf  private

Surely there must be a decent resource on getting letsencrypt working with Zentyal?

Thanks, David

royceb

  • Zen Monk
  • **
  • Posts: 71
  • Karma: +5/-0
    • View Profile
Re: How to LetsEncrypt for fun and profit
« Reply #6 on: May 18, 2019, 06:47:49 pm »
There is - stop using it.  Zen is a joke when it comes to actually updating/responding to these things.  If you don't have an active support agreement SOL is pretty much where you are at.  Nethserver has this feature built in with a 1 click setup.

davidjm

  • Zen Apprentice
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: How to LetsEncrypt for fun and profit
« Reply #7 on: May 24, 2019, 09:20:02 am »
Thanks Royceb, is there an easy migration path?

davidb

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: How to LetsEncrypt for fun and profit
« Reply #8 on: October 07, 2019, 05:09:41 pm »
So I used the instructions provided and my webadmin instance is still using the CA provided cert not the LE cert.

What or where is the conf file that specifies the ssl information for the webadmin inteface?

doncamilo

  • Zen Samurai
  • ****
  • Posts: 257
  • Karma: +63/-0
    • View Profile
Re: How to LetsEncrypt for fun and profit
« Reply #9 on: October 08, 2019, 02:30:04 pm »
 
So I used the instructions provided and my webadmin instance is still using the CA provided cert not the LE cert.

What or where is the conf file that specifies the ssl information for the webadmin inteface?

:)

First, do you own a domain? Your Zentyal server is connected to the Internet through a router/firewall?

 This could be useful: https://blog.heckel.io/2018/08/05/issuing-lets-encrypt-certificates-for-65000-internal-servers/

Cheers!

davidb

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: How to LetsEncrypt for fun and profit
« Reply #10 on: October 10, 2019, 04:37:33 pm »
Hi,
Yes, I own my domain and it's resolving sucesfully. Letsencrypt is working as the co-hosted cms and rocketchat is able to negotiate and update it's ssl cert.

It's when I try to use the webadmin interface to test the email server that the ssl incorrect ssl cert is being used.


doncamilo

  • Zen Samurai
  • ****
  • Posts: 257
  • Karma: +63/-0
    • View Profile
Re: How to LetsEncrypt for fun and profit
« Reply #11 on: October 10, 2019, 05:17:21 pm »
 :)

Zentyal webadmin uses nginx instead of apache2. Did you configure it in order to use Let's Encrypt?

Cheers!

davidb

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: How to LetsEncrypt for fun and profit
« Reply #12 on: October 11, 2019, 02:24:58 pm »
I followed the instructions from the OP.

Are there additional steps required?

doncamilo

  • Zen Samurai
  • ****
  • Posts: 257
  • Karma: +63/-0
    • View Profile
Re: How to LetsEncrypt for fun and profit
« Reply #13 on: October 14, 2019, 10:34:46 am »
The OP explains how he did install Let's Encrypt in apache2. Nginx requires a similar process . I would like to do  a tutorial about this topic. It could b
e pasted here this week if I have the time.

Cheers!



davidb

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: How to LetsEncrypt for fun and profit
« Reply #14 on: October 14, 2019, 11:11:24 pm »
The OP explains how he did install Let's Encrypt in apache2. Nginx requires a similar process . I would like to do  a tutorial about this topic. It could b
e pasted here this week if I have the time.

Cheers!

I think we're talking past each other here; I followed the instructions posted above but my mail server and webadmin server are still pointing to the local CA cert not the LE cert.

As I understood the OP and instructions, the steps I took should have copied over the LE certs and replaced the snake-oil certs.

In my posting I actually specifically asked for "where is the conf file that specifies the ssl information for the webadmin inteface?" As I'm not seeing where those configurations are made.