147
edits
Changes
Jump to navigation
Jump to search
Line 44:
Line 44: − + − − Users of SME Server 8.x, or those who would prefer a more lightweight client, can use an alternative. Letsencrypt.sh, documented below, is a shell script that requires no further dependencies that aren't installed by default on the SME Server. − − === Installation of Official Client === − For the installation of Letsencrypt, the initial generation of the certificates and periodically re-new the authority certificates, at minimum Python version 2.7 is required. By default SME Server comes with a lower version, but below instruction will enable you to install version 2.7 in a 'supported' way, next to the default SME Server Python version. The newly installed Python version 2.7 will then only be used (after initial installation) for the renewal of the certificates (periodically and mandatory every 3 months). − − Follow the instructions at [[Software_Collections]] and the python related wiki page specifically. You need to add the scl-repository for Python 2.7 that can be found [http://wiki.contribs.org/Scl#tab=Python27 '''here'''] − − To install Python 2.7: − yum install python27 --enablerepo=scl-python27 − − You can download the latest Letsencrypt code from their Github page either via GIT or as a ZIP file. − − To download via GIT do: − yum install git − cd /opt − git clone https://github.com/letsencrypt/letsencrypt.git − − To download as a ZIP do: − wget https://github.com/letsencrypt/letsencrypt/archive/master.zip -P /opt − unzip /opt/master.zip -d /opt && mv /opt/letsencrypt-master /opt/letsencrypt − rm -f /opt/master.zip − − − To use Let's Encrypt run: − cd /opt/letsencrypt − service httpd-e-smith stop − scl enable python27 bash − ./letsencrypt-auto certonly --standalone --email me@mydomain.co.uk -d test.firstdomain.co.uk -d seconddomain.co.uk -d www.seconddomain.co.uk − exit − − Replacing email and domains as required. You should include every hostname that is hosted on your SME server, along with any aliases you use (e.g., www.yourdomain.tld, mail.yourdomain.tld, yourdomain.tld, www.yourotherdomain.tld, etc.). If it completes with no errors, it should tell you your certificate has been created. To confirm, do: − ls -l /etc/letsencrypt/live/test.firstdomain.co.uk − − You should see something very similar to this: − lrwxrwxrwx 1 root root 43 Dec 16 17:08 cert.pem -> ../../archive/test.firstdomain.co.uk/cert1.pem − lrwxrwxrwx 1 root root 44 Dec 16 17:08 chain.pem -> ../../archive/test.firstdomain.co.uk/chain1.pem − lrwxrwxrwx 1 root root 48 Dec 16 17:08 fullchain.pem -> ../../archive/test.firstdomain.co.uk/fullchain1.pem − lrwxrwxrwx 1 root root 46 Dec 16 17:08 privkey.pem -> ../../archive/test.firstdomain.co.uk/privkey1.pem − − If you do not see these files, '''stop'''. Troubleshoot the problem before proceeding. If you continue, you will break your web server any anything else that depends on SSL. If you do see these files, go ahead and configure SME with the certificates generated: − − config setprop modSSL crt /etc/letsencrypt/live/test.firstdomain.co.uk/cert.pem − config setprop modSSL key /etc/letsencrypt/live/test.firstdomain.co.uk/privkey.pem − config setprop modSSL CertificateChainFile /etc/letsencrypt/live/test.firstdomain.co.uk/chain.pem − signal-event domain-modify; signal-event email-update; signal-event ibay-modify − − If you have at least version 5.6.0-26 of e-smith-base installed (i.e., if you've installed updates since late January of 2016), replace the last line with "signal-event ssl-update". − − {{Note box|We need to see if setting the above db variables disturbs other SME Server default functionality and contribs that work with certificates such as VPN solutions.}} − − Once you've obtained your certificate and configured your server, test your server with a tool like [https://www.ssllabs.com/ssltest/ SSLLabs.com] to make sure it's working properly. Line 194:
Line 142: − − === Using the official client === − The following script will automatically renew your certificate. Save it in a convenient place, for example, /opt/letsencrypt-renew.sh, and make sure to make it executable (chmod +x). − − #!/bin/bash − /sbin/service httpd-e-smith stop − /opt/letsencrypt/letsencrypt-auto certonly --standalone --renew-by-default --email me@mydomain.co.uk \ − -d test.firstdomain.co.uk -d seconddomain.co.uk -d www.seconddomain.co.uk − /sbin/e-smith/signal-event domain-modify − /sbin/e-smith/signal-event email-update − /sbin/e-smith/signal-event ibay-modify − − If you have at least version 5.6.0-26 of e-smith-base installed (i.e., if you've installed updates since late January of 2016), replace the last three lines with "/sbin/e-smith/signal-event ssl-update". − − Call this script by running − # scl enable python27 '/opt/letsencrypt-renew.sh' − − You may want to set this up as a cron job to run every two months, to make sure your certificate doesn't expire. Please see '''[[Crontab_Manager]]''' contrib for an easy way to achieve this. Or, to set this from the command line, do the following: − − mkdir -p /etc/e-smith/templates-custom/etc/crontab − nano /etc/e-smith/templates-custom/etc/crontab/sslrenew − − The following example will run the renewal script at 22:48 on the third of every other month (Jan, Mar, May, etc.): − − 48 22 3 */2 * root scl enable python27 '/opt/letsencrypt-renew.sh' − − then expand and restart − − expand-template /etc/crontab − service crond restart − − The time and day of the month can be chosen at your discretion--I've deliberately chosen a time that isn't at the top or bottom of the hour, or on the first of the month, in the hope of reducing load on letsencrypt's servers. Since the certificates are good for 90 days, this will renew your certificate in plenty of time. Line 238:
Line 154: − + +
Remove official letsencrypt client documentation
== Installation ==
== Installation ==
Multiple clients are available for the Letsencrypt services. The official client from letsencrypt.org is quite full-featured, but has a number of dependencies that it needs to install. It also requires a newer version of Python than is included with a standard SME Server installation. SME Server 9.0 and later, in the 64-bit versions, support the use of Software Collections, which allow installation of Python 2.7 alongside the default Python 2.6 installation.
Multiple clients are available for the Letsencrypt services. The official client from letsencrypt.org is quite full-featured, but has a number of dependencies that it needs to install. It also requires a newer version of Python than is included with a standard SME Server installation. Due to this complexity, and the lack of compatibility with SME 8.x, this document describes installation and use of letsencrypt.sh, an alternative client implemented as a BASH shell script.
=== Installation of Letsencrypt.sh ===
=== Installation of Letsencrypt.sh ===
== Renewal of the certificates ==
== Renewal of the certificates ==
As part of the security of Letsencrypt the certificates must be renewed every 3 months. The process will differ depending on whether you're using the official client or letsencrypt.sh.
As part of the security of Letsencrypt the certificates must be renewed every 3 months. The process will differ depending on whether you're using the official client or letsencrypt.sh.
=== Using Letsencrypt.sh ===
=== Using Letsencrypt.sh ===
== Backup ==
== Backup ==
Your certificate, private key, and other important information are stored in /etc/letsencrypt, if using the official client; or /etc/letsencrypt.sh, of using letsencrypt.sh; neither of which is included in the standard SME Server backup routines. Make sure to add this directory to your backups. See, e.g., [[Backup with dar#Adding files and directories|Backup with dar]] if you're using the workstation backup feature.
Your certificate, private key, and other important information are stored in /etc/letsencrypt.sh, which is not included in the standard SME Server backup routines. Make sure to add this directory to your backups. See, e.g., [[Backup with dar#Adding files and directories|Backup with dar]] if you're using the workstation backup feature.
== Creating certificates for internal servers ==
== Creating certificates for internal servers ==
{{Note Box|These procedures need to be revised to work with letsencrypt.sh}}
You may have one or more internal servers on your network for which you want or need trusted TLS certificates, but which aren't directly accessible from the outside. The Letsencrypt service can handle this too, although the process isn't quite as simple as shown above.
You may have one or more internal servers on your network for which you want or need trusted TLS certificates, but which aren't directly accessible from the outside. The Letsencrypt service can handle this too, although the process isn't quite as simple as shown above.