Author Topic: How to LetsEncrypt for fun and profit  (Read 1202 times)

efarayenkay

  • Zen Apprentice
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
How to LetsEncrypt for fun and profit
« on: September 14, 2018, 08:09:41 am »
UPDATE 2018-11-12 - remove requirement to restart Apache - doesn't work in that form and isn't needed anyway

Hi there

Not sure if there's a post about this already, but I've come up with a method to automate the creation and installation of Let's Encrypt certificates which I would like to share with you.

Step 1: Install the letsencrypt package, and its prerequisities:

Code: [Select]
admin@zentyla:~$ sudo apt-get install letsencrypt
Step 2: Find where the certificates currently live:

Code: [Select]
admin@zentyla:~$ grep "^\s*SSLCertificate" /etc/apache2/sites-enabled/default-ssl.conf
Step 3: Assuming the default location, create the script:

Code: [Select]
admin@zentyla:~$ cat > update_certs.sh <<EOF
#!/bin/sh

LIVECERT=/etc/letsencrypt/live/first.domain.com/fullchain.pem
SSLCERT=/etc/ssl/certs/ssl-cert-snakeoil.pem
LIVEKEY=/etc/letsencrypt/live/first.domain.com/privkey.pem
SSLKEY=/etc/ssl/private/ssl-cert-snakeoil.key

letsencrypt certonly --webroot -w /var/www/html/ -d first.domain.com -d second.domain.com -d third.domain.com  --keep
if [ $LIVECERT -nt $SSLCERT ]
then
        cp $LIVECERT $SSLCERT
        cp $LIVEKEY $SSLKEY
        # This is both unnecessary and doesn't work anyway
        #service apache2 restart
fi

EOF
admin@zentyla:~$ chmod +x update_certs.sh

Step 3: Open root's crontab - if this is your first time it will ask you for a choice of editor.  Nano is the simplest.

Code: [Select]
admin@zentyla:~$ sudo crontab -e
Step 4: Add the following line to the open editor - replace admin with your admin username - this will set it to run on the 12th of each month at midnight (change the 12 to any number between 1 and 28 to change the day it runs - don't choose 29 to 31 since they don't always occur):

Code: [Select]
0 0 12 * * /home/admin/update_certs.sh
Step 5: Ensure port 80 on your Zentyal server can be reached from the outside (I'll leave that as an exercise for the reader) and run the script manually:

Code: [Select]
admin@zentyla:~$ sudo ./update_certs.sh
And, so long as you got a successful outcome of the letsencrypt program, you should be set.
« Last Edit: November 12, 2018, 12:08:37 am by efarayenkay »

Neustradamus

  • Zen Monk
  • **
  • Posts: 63
  • Karma: +0/-3
    • View Profile
Re: How to LetsEncrypt for fun and profit
« Reply #1 on: November 07, 2018, 11:10:07 pm »
I have created a ticket for Let's Encrypt support:
-> https://github.com/zentyal/zentyal/issues/1836

efarayenkay

  • Zen Apprentice
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: How to LetsEncrypt for fun and profit
« Reply #2 on: November 12, 2018, 12:10:54 am »
I have created a ticket for Let's Encrypt support:
-> https://github.com/zentyal/zentyal/issues/1836

If I could work out how to do that, I would write a module for this.  Annoyingly, the development documentation is extremely fragmented and out of date.


demol

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: How to LetsEncrypt for fun and profit
« Reply #4 on: February 14, 2019, 08:48:03 pm »
Hello all,

I understand the changes that have to be made when it is a single domain, but when I have several domains it does not work for me. Can you please explain me?

Thank you!

Best regards,
Demol

davidjm

  • Zen Apprentice
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: How to LetsEncrypt for fun and profit
« Reply #5 on: May 17, 2019, 04:18:21 pm »
Ran straight into an issue with this as in my install (4.2.12), when i run sudo apt-get install letsencrypt i get E: Unable to locate package letsencrypt

I have tried enabling universe sudo add-apt-repository "deb http://archive.ubuntu.com/ubuntu $(lsb_release -sc) universe" or sudo add-apt-repository universe and both return sudo: add-apt-repository: command not found

My install reports being completely up to date.

Assuming i can get past this i tried opening /etc/apache2/sites-enabled/default-ssl.conf i do have a default.conf but nothing about SSL

I do however have an SSL directory in etc /etc/ssl$ ls
certs  openssl.cnf  private

Surely there must be a decent resource on getting letsencrypt working with Zentyal?

Thanks, David

royceb

  • Zen Monk
  • **
  • Posts: 71
  • Karma: +4/-0
    • View Profile
Re: How to LetsEncrypt for fun and profit
« Reply #6 on: May 18, 2019, 06:47:49 pm »
There is - stop using it.  Zen is a joke when it comes to actually updating/responding to these things.  If you don't have an active support agreement SOL is pretty much where you are at.  Nethserver has this feature built in with a 1 click setup.

davidjm

  • Zen Apprentice
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: How to LetsEncrypt for fun and profit
« Reply #7 on: May 24, 2019, 09:20:02 am »
Thanks Royceb, is there an easy migration path?