Difference between revisions of "Letsencrypt"
From SME Server
Jump to navigationJump to searchm (Added category security) |
(Corrected a couple of paths, formatted text, added backup section) |
||
| Line 9: | Line 9: | ||
It's main purpose is to allow people to encrypt the internet traffic by a very simple system. | It's main purpose is to allow people to encrypt the internet traffic by a very simple system. | ||
| − | The certs | + | The certs delivered must be renewed every 3 months. |
== Installation == | == Installation == | ||
| Line 17: | Line 17: | ||
add the 2.7 scl-repository by following : http://wiki.contribs.org/Scl#tab=Python27 | add the 2.7 scl-repository by following : http://wiki.contribs.org/Scl#tab=Python27 | ||
| − | Then : yum install python27 --enablerepo=scl-python27 | + | Then: |
| − | + | yum install python27 --enablerepo=scl-python27 | |
| − | + | yum install git | |
To use Let's Encrypt run: | To use Let's Encrypt run: | ||
| − | + | scl enable python27 bash | |
| − | mkdir src | + | mkdir /src |
| − | cd src | + | cd /src |
| − | git clone https://github.com/letsencrypt/letsencrypt.git | + | git clone https://github.com/letsencrypt/letsencrypt.git |
| − | cd letsencrypt | + | cd letsencrypt |
| − | service httpd-e-smith stop | + | service httpd-e-smith stop |
| − | ./letsencrypt-auto certonly --standalone --email me@mydomain.co.uk -d test.firstdomain.co.uk -d seconddomain.co.uk -d www.seconddomain.co.uk | + | ./letsencrypt-auto certonly --standalone --email me@mydomain.co.uk -d test.firstdomain.co.uk -d seconddomain.co.uk -d www.seconddomain.co.uk |
| − | |||
Replacing email and domains as required. Then configure SME with the certificates generated: | Replacing email and domains as required. Then configure SME with the certificates generated: | ||
| − | + | config setprop modSSL crt /etc/letsencrypt/live/test.firstdomain.co.uk/fullchain.pem | |
| − | config setprop modSSL crt /etc/letsencrypt/live/test.firstdomain.co.uk/fullchain.pem | + | config setprop modSSL key /etc/letsencrypt/live/test.firstdomain.co.uk/privkey.pem |
| − | config setprop modSSL key /etc/letsencrypt/live/test.firstdomain.co.uk/privkey.pem | + | config setprop modSSL CertificateChainFile /etc/letsencrypt/live/test.firstdomain.co.uk/fullchain.pem |
| − | config setprop modSSL CertificateChainFile /etc/letsencrypt/live/test.firstdomain.co.uk/fullchain.pem | + | signal-event post-upgrade; signal-event reboot |
| − | signal-event post-upgrade; signal-event reboot | ||
| − | |||
== Renew of the certs == | == Renew of the certs == | ||
| − | A simple | + | A simple script to renew cert : |
| + | |||
| + | #!/bin/bash | ||
| + | source /opt/rh/python27/enable | ||
| + | export X_SCLS="`scl enable python27 'echo $X_SCLS'`" | ||
| + | service httpd-e-smith stop | ||
| + | cd /src/letsencrypt | ||
| + | ./letsencrypt-auto certonly --standalone --email me@mydomain.co.uk -d test.firstdomain.co.uk -d seconddomain.co.uk -d www.seconddomain.co.uk --renew-by-default | ||
| + | service httpd-e-smith start | ||
| + | |||
| + | You may want to set this up as a cron job to run every two months, to make sure your certificate doesn't expire. | ||
| + | |||
| + | == Backup == | ||
| + | Your certificate, private key, and other important information are stored in /etc/letsencrypt, which is not included in the standard SME Server backup routines. Make sure to add this directory to your backups. | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
==Source from info== | ==Source from info== | ||
Source: http://forums.contribs.org/index.php/topic,51961.msg266680.html#msg266680 | Source: http://forums.contribs.org/index.php/topic,51961.msg266680.html#msg266680 | ||
[[Category:Howto]] [[Category:Security]] | [[Category:Howto]] [[Category:Security]] | ||
Revision as of 22:36, 6 December 2015
Introduction
Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open. It's main purpose is to allow people to encrypt the internet traffic by a very simple system.
The certs delivered must be renewed every 3 months.
Installation
followed instructions at http://wiki.contribs.org/Software_Collections and the python related wiki page specifically.
add the 2.7 scl-repository by following : http://wiki.contribs.org/Scl#tab=Python27
Then:
yum install python27 --enablerepo=scl-python27 yum install git
To use Let's Encrypt run:
scl enable python27 bash mkdir /src cd /src git clone https://github.com/letsencrypt/letsencrypt.git cd letsencrypt service httpd-e-smith stop ./letsencrypt-auto certonly --standalone --email me@mydomain.co.uk -d test.firstdomain.co.uk -d seconddomain.co.uk -d www.seconddomain.co.uk
Replacing email and domains as required. Then configure SME with the certificates generated:
config setprop modSSL crt /etc/letsencrypt/live/test.firstdomain.co.uk/fullchain.pem config setprop modSSL key /etc/letsencrypt/live/test.firstdomain.co.uk/privkey.pem config setprop modSSL CertificateChainFile /etc/letsencrypt/live/test.firstdomain.co.uk/fullchain.pem signal-event post-upgrade; signal-event reboot
Renew of the certs
A simple script to renew cert :
#!/bin/bash source /opt/rh/python27/enable export X_SCLS="`scl enable python27 'echo $X_SCLS'`" service httpd-e-smith stop cd /src/letsencrypt ./letsencrypt-auto certonly --standalone --email me@mydomain.co.uk -d test.firstdomain.co.uk -d seconddomain.co.uk -d www.seconddomain.co.uk --renew-by-default service httpd-e-smith start
You may want to set this up as a cron job to run every two months, to make sure your certificate doesn't expire.
Backup
Your certificate, private key, and other important information are stored in /etc/letsencrypt, which is not included in the standard SME Server backup routines. Make sure to add this directory to your backups.
Source from info
Source: http://forums.contribs.org/index.php/topic,51961.msg266680.html#msg266680
