Changes

From SME Server
Jump to navigationJump to search
367 bytes added ,  20:43, 17 August 2022
update configuration
Line 96: Line 96:  
There are several configuration database entries that need to be made in order to set up this contrib.  Most of them tell the scripts which hostnames need to be part of your certificate.
 
There are several configuration database entries that need to be made in order to set up this contrib.  Most of them tell the scripts which hostnames need to be part of your certificate.
   −
====Hosts and domains for the certificate====
+
=== Rush jobs ===
 +
for the test ('''adjust the domains and hosts'''):
 +
 
 +
config setprop letsencrypt ACCEPT_TERMS yes status test
 +
#foreach of your domains you want SSL do the following
 +
db domains setprop '''domain1.com''' letsencryptSSLcert enabled
 +
#foreach of your hosts (subdomains) you want SSL do the following
 +
db hosts setprop '''www.domain1.com''' letsencryptSSLcert enabled
 +
signal-event smeserver-letsencrypt-update
 +
dehydrated -c
 +
 
 +
config setprop letsencrypt ACCEPT_TERMS yes status test API 2
 +
#foreach of your domains you want SSL do the following
 +
db domains setprop '''domain1.com''' letsencryptSSLcert enabled
 +
#foreach of your hosts (subdomains) you want SSL do the following
 +
db hosts setprop '''www.domain1.com''' letsencryptSSLcert enabled
 +
signal-event console-save
 +
dehydrated -c
 +
 
 +
Check that the certificates are available ( your browser will still issue an error, but you can explore the content of the certificate to see that the Let's Encrypt test CA was used to sign your SSL certificate and that all your domains and hosts are in the "Certificate Subject Alt Name" property.
 +
 
 +
for the production ('''adjust your email'''):
 +
 
 +
config setprop letsencrypt status enabled email '''admin@domain1.com'''
 +
signal-event smeserver-letsencrypt-update
 +
dehydrated -c -x
 +
 
 +
config setprop letsencrypt status enabled email '''admin@domain1.com'''
 +
signal-event console-save
 +
dehydrated -c -x
 +
 
 +
===Step by step configuration=======Hosts and domains for the certificate====
 
This contrib will obtain a single certificate from Let's Encrypt.  The certificate will include all the domains and hostnames that:
 
This contrib will obtain a single certificate from Let's Encrypt.  The certificate will include all the domains and hostnames that:
 
* Are configured on your SME Server (e.g., through the Server Manager), and
 
* Are configured on your SME Server (e.g., through the Server Manager), and
Line 104: Line 135:     
* domain1.com
 
* domain1.com
: www.domain1.com
+
** www.domain1.com
: mail.domain1.com
+
** mail.domain1.com
: ftp.domain1.com
+
** ftp.domain1.com
 +
 
 
* domain2.com
 
* domain2.com
: www.domain2.com
+
** www.domain2.com
: mail.domain2.com
+
** mail.domain2.com
 
   
For each DOMAIN that you want to be included in the certificate, run this command:
 
For each DOMAIN that you want to be included in the certificate, run this command:
 
  db domains setprop $DOMAIN letsencryptSSLcert enabled
 
  db domains setprop $DOMAIN letsencryptSSLcert enabled
Line 138: Line 169:  
With the system configuration described above, setting this to "domains" will obtain a certificate covering domain1.com and domain2.com, but not www.domain1.com, etc.  Setting it to "hosts" will obtain a certificate covering www.domain1.com, mail.domain1.com, ftp.domain1.com, etc., but not domain1.com or domain2.com.  Setting this property to "all" will include all domain names and hostnames in the certificate. '''see [[Letsencrypt#Some_challenges_complete_successfully_but_some_hostnames_fail|NOTE]] before setting this to "all"'''
 
With the system configuration described above, setting this to "domains" will obtain a certificate covering domain1.com and domain2.com, but not www.domain1.com, etc.  Setting it to "hosts" will obtain a certificate covering www.domain1.com, mail.domain1.com, ftp.domain1.com, etc., but not domain1.com or domain2.com.  Setting this property to "all" will include all domain names and hostnames in the certificate. '''see [[Letsencrypt#Some_challenges_complete_successfully_but_some_hostnames_fail|NOTE]] before setting this to "all"'''
   −
====Other configuration properties====
+
==== Enable test mode ====
No other settings are mandatory.  However, it's recommended to configure an email address.  If there should be a problem with renewing your certificate, and it comes close to expiring, the Let's Encrypt servers will notify you of this.  Do so with this command:
+
After installing and configuring all the domains and hosts, the next step is to use test mode, which is enabled by default.  This will obtain certificates from the staging server.  The rate limits discussed in the introduction won't apply, so any errors or other issues won't prevent you from obtaining your production certificate.  Enable test mode using this command:
config setprop letsencrypt email admin@domain1.com
  −
 
  −
The email domain specified here doesn't need to match any of the domains you're obtaining a cert for.
  −
 
  −
You can also set the length of your certificate's private key, if you don't want the default of 4096 bits.  This should not be necessary in most cases, but if desired, use this command to do so:
  −
config setprop letsencrypt keysize NUMBER
  −
 
  −
===Accept Let's Encrypt terms ===
  −
Please first read the condition terms for using Let's Encrypt [[https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf]]
  −
config setprop letsencrypt ACCEPT_TERMS yes
  −
 
  −
{{Note box|Creation of a new certificate requires the API being set to V2, see warning box above}}
  −
 
  −
===V2 API===
  −
With the latest version of letsencrypt/dehydrated the V2 API is needed to create new certificates, V1 is depreciated for creation of new certificates however is still valid for existing certificates created with it.
  −
 
  −
The key is called API. It will default to '1' if left unset. Options are '1', '2', 'auto'
  −
 
  −
For updating current V1 certificates leave as default or set to 1, auto
  −
 
  −
# config show letsencrypt
  −
letsencrypt=service
  −
    ACCEPT_TERMS=yes
  −
    configure=none
  −
    email=####@#####.###
  −
    hookScript=disabled
  −
    status=enabled
  −
 
  −
# config setprop letsencrypt API 1
  −
# signal-event console-save
  −
 
  −
# config show letsencrypt
  −
letsencrypt=service
  −
    ACCEPT_TERMS=yes
  −
    API=1
  −
    configure=none
  −
    email=####@#####.###
  −
    hookScript=disabled
  −
    status=enabled
  −
 
  −
For creating a new certificate or updating a V2 set to 2
  −
 
  −
# config setprop letsencrypt API 2
  −
# signal-event console-save
  −
 
  −
# config show letsencrypt
  −
letsencrypt=service
  −
    ACCEPT_TERMS=yes
  −
    API=2
  −
    configure=none
  −
    email=####@#####.###
  −
    hookScript=disabled
  −
    status=enabled
  −
 
  −
===Enable Test Mode===
  −
The next step is to enable test mode.  This will obtain certificates from the staging server.  The rate limits discussed in the introduction won't apply, so any errors or other issues won't prevent you from obtaining your production certificate.  Enable test mode using this command:
   
  config setprop letsencrypt status test
 
  config setprop letsencrypt status test
 
  signal-event console-save
 
  signal-event console-save
Line 208: Line 183:  
If this runs without errors, try to connect to your server-manager page.  You should see an error that the security certificate wasn't issued by a trusted certification authority; this is perfectly normal.  However, there should be a certificate, it should include all the hostnames you wanted included, and it should be valid for the next ninety days.  If this was successful, proceed to production.
 
If this runs without errors, try to connect to your server-manager page.  You should see an error that the security certificate wasn't issued by a trusted certification authority; this is perfectly normal.  However, there should be a certificate, it should include all the hostnames you wanted included, and it should be valid for the next ninety days.  If this was successful, proceed to production.
   −
===Enable Production Mode===
+
====Enable Production Mode====
 
Once you've successfully tested your installation, set it to production mode using these commands:
 
Once you've successfully tested your installation, set it to production mode using these commands:
   Line 223: Line 198:  
Once you've obtained your certificate and configured your server, test your server with a tool like [https://www.ssllabs.com/ssltest/ SSLLabs.com] to make sure it's working properly.
 
Once you've obtained your certificate and configured your server, test your server with a tool like [https://www.ssllabs.com/ssltest/ SSLLabs.com] to make sure it's working properly.
   −
===Archive old certificates===
+
====Archive old certificates====
    
A new function lets you cleanup old and archive old certificates.
 
A new function lets you cleanup old and archive old certificates.
Line 229: Line 204:  
  dehydrated --cleanup (-gc)
 
  dehydrated --cleanup (-gc)
   −
===Rush jobs===
+
===Configuration properties===
for the test ('''adjust the domains and hosts'''):
+
{| class="wikitable"
config setprop letsencrypt ACCEPT_TERMS yes status test API 2
+
!Key
#foreach of your domains you want SSL do the following
+
!property
db domains setprop '''domain1.com''' letsencryptSSLcert enabled
+
!default
#foreach of your hosts (subdomains) you want SSL do the following
+
!values
db hosts setprop '''www.domain1.com''' letsencryptSSLcert enabled
+
!
signal-event console-save
+
|-
dehydrated -c
+
| rowspan="10" |letsencrypt
 
+
|ACCEPT_TERMS
Check that the certificates are available ( your browser will still issue an error, but you can explore the content of the certificate to see that the Let's Encrypt test CA was used to sign your SSL certificate and that all your domains and hosts are in the "Certificate Subject Alt Name" property.
+
|
 
+
|empty, yes
for the production ('''adjust your email'''):
+
|set to yes to accept terms of service, if left empty the contrib will not work.
config setprop letsencrypt status enabled email '''admin@domain1.com'''
+
|-
signal-event console-save
+
|API
dehydrated -c -x
+
|2
 +
|1,2
 +
|deprecated, will always be v2, as v1 is deprecated as per june 2021
 +
|-
 +
|configure
 +
|none
 +
|none,all,domains,hosts
 +
|this will change the default behaviour on non explicitly domains or hosts with "letsencryptSSLcert enabled". By default will not be used, if hosts is set will ask a cert for all hosts, if domains is set will ask a cert for all domains, if all is set, will ask for both domains and hosts. In all situation it will ask a cert for domains/hosts where "letsencryptSSLcert enabled" is set and it is not set to "letsencryptSSLcert disabled"
 +
|-
 +
|email
 +
|
 +
|email
 +
|enter the email to create account and recieve updates from Let's Encrypt
 +
|-
 +
|hookScript
 +
|disabled
 +
|enabled,disabled
 +
|will trigger advanced hook script if enabled, even if disabled the part to signal-event ssl-update to propagate the cert will run.
 +
|-
 +
|hostOverride
 +
|disabled
 +
|yes,disabled
 +
|default disabled, if disabled will only ask cert for hosts (if selected accodring to configure and "letsencryptSSLcert enabled") for hosts with type=Self. If set to yes will include any listed hosts wether remote or local.
 +
|-
 +
|keysize
 +
|4096
 +
|base 2 number
 +
|length of your certificate's private key, if you don't want the '''default of 4096''' bits.  This should not be necessary in most cases, but if desired, use this command to do so:
 +
|-
 +
|
 +
|
 +
|
 +
|
 +
|-
 +
|
 +
|
 +
|
 +
|
 +
|-
 +
|status
 +
|test
 +
|enabled,disabled,test
 +
|default status is disabled, '''First set it to test''' to connect to the test server of let's Encrypt to check if your server is well configured. After checking everything is ok, you can set it to enabled.
 +
|}
    
== Troubleshooting ==
 
== Troubleshooting ==
Super Admin, Wiki & Docs Team, Bureaucrats, Interface administrators, Administrators
3,254

edits

Navigation menu