Difference between revisions of "Letsencrypt"

From SME Server
Jump to navigationJump to search
m (Add prerequisites)
m (→‎Installation: CertificateChainFile -> chain.pem, not fullchain.pem)
Line 35: Line 35:
 
  config setprop modSSL crt /etc/letsencrypt/live/test.firstdomain.co.uk/cert.pem
 
  config setprop modSSL crt /etc/letsencrypt/live/test.firstdomain.co.uk/cert.pem
 
  config setprop modSSL key /etc/letsencrypt/live/test.firstdomain.co.uk/privkey.pem
 
  config setprop modSSL key /etc/letsencrypt/live/test.firstdomain.co.uk/privkey.pem
  config setprop modSSL CertificateChainFile /etc/letsencrypt/live/test.firstdomain.co.uk/fullchain.pem
+
  config setprop modSSL CertificateChainFile /etc/letsencrypt/live/test.firstdomain.co.uk/chain.pem
 
  signal-event domain-modify; signal-event email-update
 
  signal-event domain-modify; signal-event email-update
  

Revision as of 12:55, 9 December 2015

Warning.png Work in Progress:
This page is a Work in Progress. The contents off this page may be in flux, please have a look at this page history the to see list of changes.


PythonIcon.png Skill level: Advanced
The instructions on this page may require deviations from standard procedures. A good understanding of linux and Koozali SME Server is recommended.


Warning.png Warning:
This procedure change the default certificates and could significantly compromise your server's security.
Thorough understanding of linux system management is required.

Proceed at your own risk


Introduction

Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open. It's main purpose is to allow people to encrypt the internet traffic by a very simple system.

The certs delivered must be renewed every 3 months.

Prerequisites

Your SME Server must be setup correctly with FQDN and correctly setup DNS with your ISP. Your SME Server myst also be connected to the internet, for the below procedure will interact with Letsencrypt servers. Make sure you've got this all setup correctly before continuing.

Installation

For the installation of Letsencrypt, the initial generation of the certificates and periodically re-new the authority certificates, at minimum Python version 2.7 is required. By default SME Server comes with a lower version, but below instruction will enable you to install version 2.7 in a 'supported' way, next to the default SME Server Python version. The newly installed Python version 2.7 will then only be used (after initial installation) for the renewal of the certificates (periodically and mandatory every 3 months).

Follow the instructions at Software_Collections and the python related wiki page specifically. You need to add the scl-repository for Python 2.7 that can be found here

Then:

yum install python27 --enablerepo=scl-python27
yum install git


Important.png Note:
We need to see if installing GIT is really required, for the GIT version is also available as a ZIP file. The less we install, the better.


To use Let's Encrypt run:

scl enable python27 bash
cd /opt
git clone https://github.com/letsencrypt/letsencrypt.git
cd letsencrypt
service httpd-e-smith stop
./letsencrypt-auto certonly --standalone --email me@mydomain.co.uk -d test.firstdomain.co.uk -d seconddomain.co.uk -d www.seconddomain.co.uk

Replacing email and domains as required. Then configure SME with the certificates generated:

config setprop modSSL crt /etc/letsencrypt/live/test.firstdomain.co.uk/cert.pem
config setprop modSSL key /etc/letsencrypt/live/test.firstdomain.co.uk/privkey.pem
config setprop modSSL CertificateChainFile /etc/letsencrypt/live/test.firstdomain.co.uk/chain.pem
signal-event domain-modify; signal-event email-update


Important.png Note:
We need to see if setting the above db variables disturbs other SME Server default functionality and contribs that work with certificates such as VPN solutions.


Renew of the certs

The following script will automatically renew your certificate. Save it in a convenient place, for example, /opt/letsencrypt-renew.sh;dont forget du chmod +x the file

#!/bin/bash
source /opt/rh/python27/enable
export X_SCLS="`scl enable python27 'echo $X_SCLS'`"
/sbin/service httpd-e-smith stop
/opt/letsencrypt/letsencrypt-auto certonly --standalone --renew-by-default --email me@mydomain.co.uk \
 -d test.firstdomain.co.uk -d seconddomain.co.uk -d www.seconddomain.co.uk 
/sbin/e-smith/signal-event domain-modify
/sbin/e-smith/signal-event email-update
/sbin/e-smith/signal-event ibay-modify

You may want to set this up as a cron job to run every two months, to make sure your certificate doesn't expire. Please see Crontab_Manager contrib for an easy way to achieve this. Or, to set this from the command line, do the following:

mkdir -p /etc/e-smith/templates-custom/etc/crontab
nano /etc/e-smith/templates-custom/etc/crontab/sslrenew

The following example will run the renewal script at 22:48 on the third of every other month (Feb, Apr, Jun, etc.):

48 22 3 */2 * root /opt/letsencrypt-renew.sh

then expand and restart

expand-template /etc/crontab
service crond restart

The time and day of the month can be chosen at your discretion--I've deliberately chosen a time that isn't at the top or bottom of the hour, or on the first of the month, in the hope of reducing load on letsencrypt's servers. Since the certificates are good for 90 days, this will renew your certificate in plenty of time.

Backup

Your certificate, private key, and other important information are stored in /etc/letsencrypt, which is not included in the standard SME Server backup routines. Make sure to add this directory to your backups. See, e.g., Backup with dar if you're using the workstation backup feature.

Source from info

Source: http://forums.contribs.org/index.php/topic,51961.msg266680.html#msg266680