859
edits
Changes
From SME Server
Jump to navigationJump to search→Certificate Errors
{{Languages}}
{{Languages|Letsencrypt}}
{{Level|Medium}}
{{Level|Medium}}
==Introduction==
==Introduction==
Renewal failures should be limited since new domain validations will already be disabled and we recommend renewing certificates 30 days before they expire.
Renewal failures should be limited since new domain validations will already be disabled and we recommend renewing certificates 30 days before they expire.
In June of 2021 we will entirely disable ACMEv1 as a viable way to get a Let’s Encrypt certificate.}}
In June of 2021 they will entirely disable ACMEv1 as a viable way to get a Let’s Encrypt certificate.}}
[https://letsencrypt.org/ Let’s Encrypt] is a new Certificate Authority:
[https://letsencrypt.org/ Let’s Encrypt] is a new Certificate Authority:
Please first read the condition terms for using Let's Encrypt [[https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf]]
Please first read the condition terms for using Let's Encrypt [[https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf]]
config setprop letsencrypt ACCEPT_TERMS yes
config setprop letsencrypt ACCEPT_TERMS yes
{{Note box|Creation of a new certificate requires the API being set to V2, see warning box above}}
===V2 API===
With the latest version of letsencrypt/dehydrated the V2 API is needed to create new certificates, V1 is depreciated for creation of new certificates however is still valid for existing certificates created with it.
The key is called API. It will default to '1' if left unset. Options are '1', '2', 'auto'
For updating current V1 certificates leave as default or set to 1, auto
# config show letsencrypt
letsencrypt=service
ACCEPT_TERMS=yes
configure=none
email=####@#####.###
hookScript=disabled
status=enabled
# config setprop letsencrypt API 1
# signal-event console-save
# config show letsencrypt
letsencrypt=service
ACCEPT_TERMS=yes
API=1
configure=none
email=####@#####.###
hookScript=disabled
status=enabled
For creating a new certificate or updating a V2 set to 2
# config setprop letsencrypt API 2
# signal-event console-save
# config show letsencrypt
letsencrypt=service
ACCEPT_TERMS=yes
API=2
configure=none
email=####@#####.###
hookScript=disabled
status=enabled
===Enable Test Mode===
===Enable Test Mode===
If it prints only "# INFO: Using main config file /etc/dehydrated/config" and returns you to the shell prompt, see [[Bugzilla:10300]].
If it prints only "# INFO: Using main config file /etc/dehydrated/config" and returns you to the shell prompt, see [[Bugzilla:10300]].
{{Note box|Solution for error "Malformed account ID in KeyID header URL" using API 2, for contrib versions 0.6.13 or older See [[Bugzilla:10828]] or update to latest contrib}}
If this runs without errors, try to connect to your server-manager page. You should see an error that the security certificate wasn't issued by a trusted certification authority; this is perfectly normal. However, there should be a certificate, it should include all the hostnames you wanted included, and it should be valid for the next ninety days. If this was successful, proceed to production.
If this runs without errors, try to connect to your server-manager page. You should see an error that the security certificate wasn't issued by a trusted certification authority; this is perfectly normal. However, there should be a certificate, it should include all the hostnames you wanted included, and it should be valid for the next ninety days. If this was successful, proceed to production.
Once you've made these changes, do:
Once you've made these changes, do:
signal-event post-upgrade
signal-event reboot
Also see
https://wiki.contribs.org/Useful_Commands#How_to_simply_recreate_the_certificate_for_SME_Server
rm /home/e-smith/ssl.{crt,key,pem}/*
config delprop modSSL CommonName
config delprop modSSL crt
config delprop modSSL key
signal-event post-upgrade
signal-event post-upgrade
signal-event reboot
signal-event reboot
===Obtaining certificates for other servers===
===Obtaining certificates for other servers===
The dehydrated client can be used to obtain certificates for other servers on your network, if the hostnames resolve (from outside your network) to your SME Server. Here's how to do this using the smeserver-letsencrypt contrib.
The dehydrated client can be used to obtain certificates for other servers on your network, if the hostnames resolve (from outside your network) to your SME Server. Here's how to do this using the smeserver-letsencrypt contrib.
====Hosts and Domains====
{{Note box| This section is not necessary as far as I am aware. You should just be able to set a host with "HostType local" and an InternalIP address as letsencryptSSLcert enabled and then regenerate domains.txt}}
You'll need to create two template fragments: one to add your hostname to /etc/dehydrated/domains.txt, and the second to handle the certificate once it's generated. To create the first, do
You'll need to create two template fragments: one to add your hostname to /etc/dehydrated/domains.txt, and the second to handle the certificate once it's generated. To create the first, do
Then Ctrl-X to exit, Y to save.
Then Ctrl-X to exit, Y to save.
====Hook Script deployment====
The second template fragment will be a portion of the hook script, so the dehydrated client knows what to do with this certificate. This must be present, otherwise dehydrated will configure your SME server to use this certificate rather than the certificate for the SME Server.
The second template fragment will be a portion of the hook script, so the dehydrated client knows what to do with this certificate. This must be present, otherwise dehydrated will configure your SME server to use this certificate rather than the certificate for the SME Server.
{{#smechangelog:smeserver-letsencrypt}}
{{#smechangelog:smeserver-letsencrypt}}
[[Category:Contrib]]
[[Category:Howto]]
[[Category:Howto]]
[[Category:Security]]
[[Category:Security]]
[[Category: Administration:Certificates]]
[[Category: Administration:Certificates]]
