Changes

Jump to navigation Jump to search
2,193 bytes added ,  01:25, 8 May 2017
no edit summary
Line 48: Line 48:     
===Installation===
 
===Installation===
  yum install smeserver-letsencrypt --enablerepo=smedev
+
  yum install smeserver-letsencrypt --enablerepo=smecontribs
  signal-event post-upgrade && signal-event reboot
+
   
 +
you will then need to configure the domains and hosts for which you want to ask a certificate. See the following Configuration menu.
    
===Configuration===
 
===Configuration===
Line 58: Line 59:  
* Are configured on your SME Server (e.g., through the Server Manager), and
 
* Are configured on your SME Server (e.g., through the Server Manager), and
 
* Are configured to use Let's Encrypt.
 
* Are configured to use Let's Encrypt.
 +
 +
{{Warning box| Your server must be accessible from the Internet and the domains and hosts you are asking for a certificate should resolve to your domain. Having only one domain or host in the list you ask a certificate for that fails to resolve and point to your server from the internet will result in a failure to obtain a certificate. Please consider that by default SME will add some subdomains for your domain you configure on it such as ftp.mydomain.tld, mail.mydomain.tld, wpad.mydomain.tld, proxy.mydomain.tld, $HOSTNAME.mydomain.tld and www.mydomain.tld. If you configure the contrib to issue a certificate for all of those take the time to configure them all at your DNS hosting service to point to your server.}}
    
For example, your SME Server may contain the following domains and hostnames:
 
For example, your SME Server may contain the following domains and hostnames:
Line 94: Line 97:  
You can also set the length of your certificate's private key, if you don't want the default of 4096 bits.  This should not be necessary in most cases, but if desired, use this command to do so:
 
You can also set the length of your certificate's private key, if you don't want the default of 4096 bits.  This should not be necessary in most cases, but if desired, use this command to do so:
 
  config setprop letsencrypt keysize NUMBER
 
  config setprop letsencrypt keysize NUMBER
 +
 +
===Accept Let's Encrypt terms ===
 +
Please first read the condition terms for using Let's Encrypt [[https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf]]
 +
config setprop  letsencrypt ACCEPT_TERMS yes
    
===Enable Test Mode===
 
===Enable Test Mode===
Line 107: Line 114:  
===Enable Production Mode===
 
===Enable Production Mode===
 
Once you've successfully tested your installation, set it to production mode using these commands:
 
Once you've successfully tested your installation, set it to production mode using these commands:
 +
 +
move previous certificates:
 +
mkdir /etc/dehydrated/certs.test
 +
mv /etc/dehydrated/certs/* /etc/dehydrated/certs.test
 +
 +
then prepare to ask the real ones:
 
  config setprop letsencrypt status enabled
 
  config setprop letsencrypt status enabled
 
  signal-event console-save
 
  signal-event console-save
Line 118: Line 131:     
Once you've obtained your certificate and configured your server, test your server with a tool like [https://www.ssllabs.com/ssltest/ SSLLabs.com] to make sure it's working properly.
 
Once you've obtained your certificate and configured your server, test your server with a tool like [https://www.ssllabs.com/ssltest/ SSLLabs.com] to make sure it's working properly.
 +
 +
 +
===Rush jobs===
 +
for the test ('''adjust the domains and hosts'''):
 +
config setprop ACCEPT_TERMS yes status test
 +
#foreach of your domains you want SSL do the following
 +
db domains setprop '''domain1.com''' letsencryptSSLcert enabled
 +
#foreach of your hosts (subdomains) you want SSL do the following
 +
db hosts setprop '''www.domain1.com''' letsencryptSSLcert enabled
 +
signal-event console-save
 +
dehydrated -c
 +
 +
Check that the certificates are available ( your browser will still issue an error, but you can explore the content of the certificate to see that the Let's Encrypt test CA was used to sign your SSL certificate and that all your domains and hosts are in the "Certificate Subject Alt Name" property, except the first one that is the name of the certificate.
 +
 +
for the production ('''adjust your email'''):
 +
config setprop status enabled email '''admin@domain1.com'''
 +
signal-event console-save
 +
mkdir /etc/dehydrated/certs.test
 +
mv /etc/dehydrated/certs/* /etc/dehydrated/certs.test
 +
dehydrated -c -x
    
==Manual Installation of Dehydrated==
 
==Manual Installation of Dehydrated==
Super Admin, Wiki & Docs Team, Bureaucrats, Interface administrators, Administrators
3,254

edits

Navigation menu