Changes

Jump to navigation Jump to search
3,549 bytes added ,  22:44, 8 January 2016
→‎Installation: add letsencrypt.sh instructions
Line 41: Line 41:     
== Installation ==
 
== Installation ==
 +
Multiple clients are available for the Letsencrypt services.  The official client from letsencrypt.org is quite full-featured, but has a number of dependencies that it needs to install.  It also requires a newer version of Python than is included with a standard SME Server installation.  SME Server 9.0 and later, in the 64-bit versions, support the use of Software Collections, which allow installation of Python 2.7 alongside the default Python 2.6 installation.
 +
 +
Users of SME Server 8.x, or those who would prefer a more lightweight client, can use an alternative.  Letsencrypt.sh, documented below, is a shell script that requires no further dependencies that aren't installed by default on the SME Server.
 +
 +
=== Installation of Official Client ===
 
For the installation of Letsencrypt, the initial generation of the certificates and periodically re-new the authority certificates, at minimum Python version 2.7 is required. By default SME Server comes with a lower version, but below instruction will enable you to install version 2.7 in a 'supported' way, next to the default SME Server Python version. The newly installed Python version 2.7 will then only be used (after initial installation) for the renewal of the certificates (periodically and mandatory every 3 months).
 
For the installation of Letsencrypt, the initial generation of the certificates and periodically re-new the authority certificates, at minimum Python version 2.7 is required. By default SME Server comes with a lower version, but below instruction will enable you to install version 2.7 in a 'supported' way, next to the default SME Server Python version. The newly installed Python version 2.7 will then only be used (after initial installation) for the renewal of the certificates (periodically and mandatory every 3 months).
 
   
 
   
Line 87: Line 92:     
Once you've obtained your certificate and configured your server, test your server with a tool like [https://www.ssllabs.com/ssltest/ SSLLabs.com] to make sure it's working properly.
 
Once you've obtained your certificate and configured your server, test your server with a tool like [https://www.ssllabs.com/ssltest/ SSLLabs.com] to make sure it's working properly.
 +
 +
=== Installation of Letsencrypt.sh ===
 +
Letsencrypt.sh is a lightweight alternative ACME client which will allow you to retrieve certificates from the Letsencrypt servers without needing to install any additional software on your server, other than git to download and install it.  Begin by installing git:
 +
yum install git
 +
 +
Then download the letsencrypt.sh client:
 +
cd /etc
 +
git clone https://github.com/lukas2511/letsencrypt.sh
 +
 +
You'll need to create two configuration files for letsencrypt.sh.
 +
cd letsencrypt.sh
 +
mkdir -p /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
 +
nano -w domains.txt
 +
 +
In this file, you'll list every hostname that you want your certificate to cover, all on one line.  It will look like this:
 +
domain1.com www.domain1.com mail.domain1.com domain2.net www.domain2.net domain3.org ftp.domain3.org
 +
Ctrl-X to exit, Y to save.
 +
 +
Second, you'll need to create the configuration file:
 +
nano -w config.sh
 +
 +
It should look like this:
 +
#!/bin/bash
 +
# config.sh
 +
 +
WELLKNOWN=/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
 +
 +
# E-mail to use during the registration (default: <unset>)
 +
CONTACT_EMAIL=admin@yourdomain.com
 +
Ctrl-X to exit, Y to save.
 +
 +
You'll also need to create a custom template fragment for Apache:
 +
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
 +
nano -w /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts40ACME
 +
 +
The contents of that file should look like:
 +
# Alias for letsencrypt
 +
Alias /.well-known/acme-challenge /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
 +
Again, Ctrl-X to exit, Y to save.
 +
 +
Expand the template and restart apache:
 +
expand-template /etc/httpd/conf/httpd.conf
 +
service httpd-e-smith restart
 +
 +
Now you're ready to run letsencrypt.sh and get your certificate.
 +
/etc/letsencrypt.sh/letsencrypt.sh -c
 +
 +
The script will run for a moment and should report success.  If it does, look in /etc/letsencrypt.sh/certs/YOURDOMAIN and see if you have your files there.  You should see a number of .pem files, at least one .csr file, and five symbolic links (chain.pem, cert.csr, cert.pem, fullchain.pem, and privkey.pem).  If you do, congratulations!  You've successfully obtained your certificate.
 +
 +
Now you just need to configure your server to use the new certificate:
 +
config setprop modSSL crt /etc/letsencrypt.sh/certs/yourdomain.com/cert.pem
 +
config setprop modSSL key /etc/letsencrypt.sh/certs/yourdomain.com/privkey.pem
 +
config setprop modSSL CertificateChainFile /etc/letsencrypt.sh/certs/yourdomain.com/chain.pem
 +
signal-event post-upgrade && signal-event reboot
 +
 +
As above, once you've obtained your certificate and configured your server, test your server with a tool like [https://www.ssllabs.com/ssltest/ SSLLabs.com] to make sure it's working properly.
    
== Troubleshooting ==
 
== Troubleshooting ==
147

edits

Navigation menu