Changes

From SME Server
Jump to navigationJump to search

Letsencrypt (view source)

Revision as of 11:01, 5 October 2020

1,292 bytes added ,  11:01, 5 October 2020
→‎Certificate Errors
Line 1: Line 1: −
{{Languages}}
+
{{Languages|Letsencrypt}}
 
{{Level|Medium}}
 
{{Level|Medium}}
 
==Introduction==
 
==Introduction==
Line 15: Line 15:  
Renewal failures should be limited since new domain validations will already be disabled and we recommend renewing certificates 30 days before they expire.
 
Renewal failures should be limited since new domain validations will already be disabled and we recommend renewing certificates 30 days before they expire.
   −
In June of 2021 we will entirely disable ACMEv1 as a viable way to get a Let’s Encrypt certificate.}}
+
In June of 2021 they will entirely disable ACMEv1 as a viable way to get a Let’s Encrypt certificate.}}
    
[https://letsencrypt.org/ Let’s Encrypt] is a new Certificate Authority:  
 
[https://letsencrypt.org/ Let’s Encrypt] is a new Certificate Authority:  
Line 145: Line 145:  
  config setprop letsencrypt ACCEPT_TERMS yes
 
  config setprop letsencrypt ACCEPT_TERMS yes
   −
===Enable Test Mode===
+
{{Note box|Creation of a new certificate requires the API being set to V2, see warning box above}}
The next step is to enable test mode.  This will obtain certificates from the staging server.  The rate limits discussed in the introduction won't apply, so any errors or other issues won't prevent you from obtaining your production certificate.  Enable test mode using this command:
  −
config setprop letsencrypt status test
  −
signal-event console-save
     −
You can now run dehydrated for the first time, and make sure it's able to connect to the Let's Encrypt servers, validate the hostnames you're requesting, and issue certificates. To do this, run
+
===V2 API===
dehydrated -c
+
With the latest version of letsencrypt/dehydrated the V2 API is needed to create new certificates, V1 is depreciated for creation of new certificates however is still valid for existing certificates created with it.  
   −
If it prints only "# INFO: Using main config file /etc/dehydrated/config" and returns you to the shell prompt, see [[Bugzilla:10300]].
+
The key is called API. It will default to '1' if left unset. Options are '1', '2', 'auto'
   −
If this runs without errors, try to connect to your server-manager page.  You should see an error that the security certificate wasn't issued by a trusted certification authority; this is perfectly normal.  However, there should be a certificate, it should include all the hostnames you wanted included, and it should be valid for the next ninety days.  If this was successful, proceed to production.
+
For updating current V1 certificates leave as default or set to 1, auto
   −
===Enable Production Mode===
+
# config show letsencrypt
Once you've successfully tested your installation, set it to production mode using these commands:
+
letsencrypt=service
 +
    ACCEPT_TERMS=yes
 +
    configure=none
 +
    email=####@#####.###
 +
    hookScript=disabled
 +
    status=enabled
   −
  config setprop letsencrypt status enabled
+
  # config setprop letsencrypt API 1
  signal-event console-save
+
  # signal-event console-save
  −
Then obtain a new certificate from the Let's Encrypt production server:
  −
dehydrated -c -x
  −
 
  −
The -x flag here is needed to force dehydrated to obtain a new certificate, even though you have an existing certificate that's valid for more than 30 days.
  −
 
  −
If this command succeeded, congratulations!  You've successfully obtained a valid, trusted TLS certificate, which will automatically renew itself in perpetuity.
  −
 
  −
Once you've obtained your certificate and configured your server, test your server with a tool like [https://www.ssllabs.com/ssltest/ SSLLabs.com] to make sure it's working properly.
  −
 
  −
===V2 API===
  −
 
  −
{{Note box|This needs testing and checking}}
  −
 
  −
With the latest version of letsencrypt/dehydrated we can use the new V2 API.
  −
 
  −
The new key is called API. It will default to '1' if left unset. Options are '1', '2', 'auto'
      
  # config show letsencrypt
 
  # config show letsencrypt
Line 188: Line 173:  
     hookScript=disabled
 
     hookScript=disabled
 
     status=enabled
 
     status=enabled
 +
 +
For creating a new certificate or updating a V2 set to 2
    
  # config setprop letsencrypt API 2  
 
  # config setprop letsencrypt API 2  
Line 201: Line 188:  
     status=enabled
 
     status=enabled
   −
  # dehydrated -c -x
+
===Enable Test Mode===
 +
The next step is to enable test mode. This will obtain certificates from the staging server.  The rate limits discussed in the introduction won't apply, so any errors or other issues won't prevent you from obtaining your production certificate.  Enable test mode using this command:
 +
config setprop letsencrypt status test
 +
signal-event console-save
 +
 
 +
You can now run dehydrated for the first time, and make sure it's able to connect to the Let's Encrypt servers, validate the hostnames you're requesting, and issue certificates.  To do this, run
 +
dehydrated -c
 +
 
 +
If it prints only "# INFO: Using main config file /etc/dehydrated/config" and returns you to the shell prompt, see [[Bugzilla:10300]].
 +
 
 +
{{Note box|Solution for error "Malformed account ID in KeyID header URL" using API 2, for contrib versions 0.6.13 or older See [[Bugzilla:10828]] or update to latest contrib}}
 +
 
 +
If this runs without errors, try to connect to your server-manager page.  You should see an error that the security certificate wasn't issued by a trusted certification authority; this is perfectly normal.  However, there should be a certificate, it should include all the hostnames you wanted included, and it should be valid for the next ninety days.  If this was successful, proceed to production.
 +
 
 +
===Enable Production Mode===
 +
Once you've successfully tested your installation, set it to production mode using these commands:
 +
 
 +
config setprop letsencrypt status enabled
 +
signal-event console-save
 +
 +
Then obtain a new certificate from the Let's Encrypt production server:
 +
dehydrated -c -x
 +
 
 +
The -x flag here is needed to force dehydrated to obtain a new certificate, even though you have an existing certificate that's valid for more than 30 days.
 +
 
 +
If this command succeeded, congratulations!  You've successfully obtained a valid, trusted TLS certificate, which will automatically renew itself in perpetuity.
 +
 
 +
Once you've obtained your certificate and configured your server, test your server with a tool like [https://www.ssllabs.com/ssltest/ SSLLabs.com] to make sure it's working properly.
    
===Archive old certificates===
 
===Archive old certificates===
Line 357: Line 371:     
Once you've made these changes, do:
 
Once you've made these changes, do:
 +
signal-event post-upgrade
 +
signal-event reboot
 +
 +
Also see
 +
 +
https://wiki.contribs.org/Useful_Commands#How_to_simply_recreate_the_certificate_for_SME_Server
 +
 +
rm /home/e-smith/ssl.{crt,key,pem}/*
 +
config delprop modSSL CommonName
 +
config delprop modSSL crt
 +
config delprop modSSL key
 
  signal-event post-upgrade
 
  signal-event post-upgrade
 
  signal-event reboot
 
  signal-event reboot
Line 503: Line 528:  
===Obtaining certificates for other servers===
 
===Obtaining certificates for other servers===
 
The dehydrated client can be used to obtain certificates for other servers on your network, if the hostnames resolve (from outside your network) to your SME Server.  Here's how to do this using the smeserver-letsencrypt contrib.
 
The dehydrated client can be used to obtain certificates for other servers on your network, if the hostnames resolve (from outside your network) to your SME Server.  Here's how to do this using the smeserver-letsencrypt contrib.
 +
 +
====Hosts and Domains====
 +
{{Note box| This section is not necessary as far as I am aware. You should just be able to set a host with "HostType local" and an InternalIP address as letsencryptSSLcert enabled and then regenerate domains.txt}}
    
You'll need to create two template fragments: one to add your hostname to /etc/dehydrated/domains.txt, and the second to handle the certificate once it's generated.  To create the first, do
 
You'll need to create two template fragments: one to add your hostname to /etc/dehydrated/domains.txt, and the second to handle the certificate once it's generated.  To create the first, do
Line 514: Line 542:     
Then Ctrl-X to exit, Y to save.
 
Then Ctrl-X to exit, Y to save.
 +
 +
====Hook Script deployment====
    
The second template fragment will be a portion of the hook script, so the dehydrated client knows what to do with this certificate.  This must be present, otherwise dehydrated will configure your SME server to use this certificate rather than the certificate for the SME Server.
 
The second template fragment will be a portion of the hook script, so the dehydrated client knows what to do with this certificate.  This must be present, otherwise dehydrated will configure your SME server to use this certificate rather than the certificate for the SME Server.
Line 635: Line 665:  
{{#smechangelog:smeserver-letsencrypt}}
 
{{#smechangelog:smeserver-letsencrypt}}
    +
[[Category:Contrib]]
 
[[Category:Howto]]  
 
[[Category:Howto]]  
 
[[Category:Security]]
 
[[Category:Security]]
 
[[Category: Administration:Certificates]]
 
[[Category: Administration:Certificates]]
Retrieved from "https://wiki.koozali.org/Special:MobileDiff/38168...38863"

Navigation menu