Certainly. I've used Letsencrypt on a couple of Unbuntu servers so the instructions were a little different. Needless to say those servers are scheduled to be changed to ClearOS.

I was able to get things going on my ClearOS install with thanks to the assistance from Marc Laporte and Xavier de Pedro at Wikisuite ( http://Avan.Tech http://wikisuite.org )


This will assume you are logged into the server via ssh as root.

Install git if you don't already have it.

yum install git

Ok time to install

cd /usr/local
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
service httpd stop

Now create your certificate. Replace yourdomainname with your domain name


sudo ./letsencrypt-auto certonly --standalone -d yourdomainname --debug

If all goes well you should receive the following message

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/yourdomainname/fullchain.pem. Your cert
will expire on ........ To obtain a new or tweaked version of
this certificate in the future, simply run letsencrypt-auto again.
To non-interactively renew *all* of your certificates, run
"letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le



OK so now set up the web server to use the certificates.

vi /etc/httpd/conf.d/ssl.conf

change the following lines

SSLCertificateFile /etc/letsencrypt/live/yourdomainname/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomainname/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/yourdomainname/chain.pem


Restart your httpd service

service httpd restart


If everything goes well your https connection is now using the Letsencrypt certificate.


cheers,
Frank

Frank, I too am interested in seeing the community's response regarding the use and integration of the LetsEncrypt SSL certificate generator and the LetsEncrypt project in general. I am curious about the steps you chose to get the SSL working on your server.

Which client did you select?
Were you able to use Certificate Manager external certificate with the ClearOS Webconfig System Settings or did you use command line?

I haven't seen much discussion regarding LetsEncrypt and it's functionality with ClearOS 7; ironically I was researching this very subject when your post appeared in this forum.

Very interested in your input,
JD

Hi Frank,

Very interesting.
Can you give a smal howto regarding the step you took to get LetsEncrypt working.

Hi Franks,

Many thanks for your clear howto.
I've followed your steps and the certificates are made and installed.
Only how can i check if it is working ? Now i'll see still the ClearOS selfcertificate on the site.

I'm following this with interest for when I go over to 7.x and note that certbot is available packaged from Epel so you possibly don't have to go down the git route.

Can you maybe add the certificated in the webconfig ? https://server:81/app/certificate_manager/external/add

For the webconfig you need to add the certificates for port :443
/etc/httpd/conf.d/flex-443.conf is generated by webconfig automaticly.

Non-flexshare websites, so possibly in /var/www/html and so on, I believe use certificates referenced from /etc/httpd/conf.d/ssl.conf. Flexshare web sites use /etc/httpd/conf.d/flex-443.conf, which, as you say, is generated automatically. This means you need to edit the file and point it to your new certificates then set the immutable bit so ClearOS can't change it - but you need to remember you've done it!

Thanks for your reply Patrick

Patrick de Brabander wrote:

Can you maybe add the certificated in the webconfig ? https://server:81/app/certificate_manager/external/add

For the webconfig you need to add the certificates for port :443
/etc/httpd/conf.d/flex-443.conf is generated by webconfig automaticly.

Letsencrypt produces 4 files.

cert1.pem
chain1.pem
fullchain1.pem
privkey1.pem


The certificate manager is looking for

Certificate file which I suspect is cert1.pem
Key File which I suspect is privkey1.pem
Intermediate file which I suspect may be the fullchain1.pem??

It seems to be ok when I enter the information and adds it.

When I view it I get the following


Certificate:
Data:
Version: 3 (0x2)
Serial Number:
xxx
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Validity
Not Before: Jun 20 19:50:00 2016 GMT
Not After : Sep 18 19:50:00 2016 GMT
Subject: CN=yourdomainname
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:

bunch of stuff


Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier: xxx

X509v3 Authority Key Identifier:
keyid: xxx


Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org/
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

X509v3 Subject Alternative Name:
DNS: xxx
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
User Notice:
Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

Signature Algorithm: sha256WithRSAEncryption
xxx


I looked in the /etc/httpd/conf.d directory but could not see a flex-443.conf file.

authnz_external.conf autoindex.conf php.conf README ssl.conf userdir.conf welcome.conf.rpmsave
authz_unixgroup.conf geoip.conf phpMyAdmin.conf roundcubemail.conf ssl.conf.rpmsave welcome.conf



It is mentioned that flex-443.conf is generated so I am wondering if there was something I did wrong. Perhaps I'm using the wrong files when adding an external certificate in the certificate manager.??

Kindest regards,
Frank

Hi Frank,

did you enable ssl for your default website ?



And after you installed the letencryp certificate in the webconfig, can you select here an different certificate ?

Adding the certificate files into webconfig worked for my default website.
Webconfig will adjust the .conf file with the new ceritifcates


For the webconfig (port 81) see also : post

ClearOS Webconfig



We need to edit a file in clearos.



/usr/clearos/sandbox/etc/httpd/conf.d/framework.conf



replace :

SSLCertificateFile /etc/pki/tls/certs/domain.crt

SSLCertificateKeyFile /etc/pki/tls/certs/domain.key



with:

SSLCertificateFile /etc/clearos/certificate_manager.d/LetsEncrypt.crt

SSLCertificateKeyFile /etc/clearos/certificate_manager.d/LetsEncrypt.key

`

(name and location is made by webconfig after addind the certificates



Restart clearos webconfig



service webconfig restart

Now i need to make a cronjob for the 2 monthly update !!

Hi,

I've made a cronjob for the automatic update which can maybe helpfull


letsencrypt.sh

#!/bin/bash



cd /usr/local/letsencrypt/

./letsencrypt-auto --config /etc/letsencrypt/cli.ini -d www.yourdomain.nl certonly



if [ $? -ne 0 ]

 then

        ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`

        echo -e "The Lets Encrypt Cert has not been renewed! \n \n" $ERRORLOG | mail -s "Lets Encrypt Cert Alert" [email protected]

 else



service httpd stop



cp  -f /etc/letsencrypt/live/yourdomain.nl/cert.pem /etc/clearos/certificate_manager.d/LetsEncrypt.crt

cp  -f /etc/letsencrypt/live/yourdomain.nl/privkey.pem /etc/clearos/certificate_manager.d/LetsEncrypt.key

cp  -f /etc/letsencrypt/live/yourdomain.nl/fullchain.pem /etc/clearos/certificate_manager.d/LetsEncrypt.intermediate



chown webconfig:webconfig /etc/clearos/certificate_manager.d/LetsEncrypt.crt

chown webconfig:webconfig /etc/clearos/certificate_manager.d/LetsEncrypt.key

chown webconfig:webconfig /etc/clearos/certificate_manager.d/LetsEncrypt.intermediate



chmod 600 /etc/clearos/certificate_manager.d/LetsEncrypt.crt

chmod 600 /etc/clearos/certificate_manager.d/LetsEncrypt.key

chmod 600 /etc/clearos/certificate_manager.d/LetsEncrypt.intermediate



service httpd restart

service webconfig restart



fi



exit 0

cli.ini

authenticator = webroot

webroot-path = /var/www/html

server = https://acme-v01.api.letsencrypt.org/directory

renew-by-default

agree-tos 

email = [email protected]

Please share me your comments if you see some improvements

Hi Patrick,
Just an idea, but instead of copying the files between /etc/letsencrypt/live/www.yourdomain.nl/ and/etc/clearos/certificate_manager.d/ and adjusting ownership and permissions, can you just symlink them?

Nick Howitt wrote:

Hi Patrick,
Just an idea, but instead of copying the files between /etc/letsencrypt/live/www.yourdomain.nl/ and/etc/clearos/certificate_manager.d/ and adjusting ownership and permissions, can you just symlink them?

Hi Nick,

This crossed my mind, but since the permissions and afraid of breaking something with webconifg i've choosen this option.

How is the certificate handled voor WWW and non-WWW domains ?
Do i need 2 certificates ?

FOUND it:

./letsencrypt-auto --config /etc/letsencrypt/cli.ini -d www.yourdomain.nl -d yourdomain.nl certonly

You can make both certificates and they will combine it in 1

Patrick de Brabander wrote:

Hi,

I've made a cronjob for the automatic update which can maybe helpfull

I am trying to figure how this cronjob works do you have to make a file somewhere or edit a file please share some more info, I got it all working accept the cronjob for the auto renewal.

Thanks

Lex Vroemen wrote:

Patrick de Brabander wrote:

Hi,

I've made a cronjob for the automatic update which can maybe helpfull

I am trying to figure how this cronjob works do you have to make a file somewhere or edit a file please share some more info, I got it all working accept the cronjob for the auto renewal.

Thanks

Hello lex,

You must edit /etc/crontab and add the following line:

0 4 1 */2 * root /PATH/letsencrypt.sh >> /var/log/letsencrypt

Location (PATH) of the script file is depending on where you have put the script.
Also the frequency of the execution of the script. It is now set to every 2 months.

If you're happy for a script to run monthly, don't worry about crontab. Just place it in /etc/cron.monthly and make it executable. If you use crontab (as root), it creates a file /var/spool/cron/root.

Nick Howitt wrote:

@Patrick,
Interesting. How does this work? Do you set LetsEncrypt as the CA? If so, how do you generate user certificates for thing like OpenVPN? I can't find any documentation on it.
Please feel free to take this question privately if you don't think it lives here.
Nick

Hi Nick,

In reply of another thread (LINK.)
I'm not using OpenVPN, but i'm using the SSL Certificate for my HTTPS connections.
How can i test the user certificates ? if you can me a help i can test this for you.

I am trying to imagine how this would work. Presumably you've used a LetsEncrypt CA, but ClearOS generates its own certificates for postfix (/etc/postfix/cert.pem and/etc/postfix/key.pem), cyrus-imap (/etc/postfix/cert.pem and /etc/postfix/key.pem but I don't know which CA it uses) and so on. OpenVPN generates certificates for each user. I would not have thought ClearOS could sign LetsEncrypt certificates so I'd love to know how this works. It would be good if it were documented.

I'm hoping to have a scratch server that I can tinker around with soon. I'll have to have a little play.

It would be nice if this feature were documented, of it it is documented, it would be good if I could find the document.

[edit]
Also, how does ClearOS handle the renewal?
[/edit]

Nick Howitt wrote:

I am trying to imagine how this would work. Presumably you've used a LetsEncrypt CA, but ClearOS generates its own certificates for postfix (/etc/postfix/cert.pem and/etc/postfix/key.pem), cyrus-imap (/etc/postfix/cert.pem and /etc/postfix/key.pem but I don't know which CA it uses) and so on. OpenVPN generates certificates for each user. I would not have thought ClearOS could sign LetsEncrypt certificates so I'd love to know how this works. It would be good if it were documented.

I'm hoping to have a scratch server that I can tinker around with soon. I'll have to have a little play.

It would be nice if this feature were documented, of it it is documented, it would be good if I could find the document.

[edit]
Also, how does ClearOS handle the renewal?
[/edit]

Nick,

I've found this on the web :
https://forums.openvpn.net/viewtopic.php?t=20973
https://www.sideras.net/lets-encrypt-https-certificates-for-openvpn-as-access-server/
Does this help you ? Is this what you are looking for ?

Hi all,

News from letsencrypt.org : Wildcard Certificates Coming January 2018
Let’s Encrypt will begin issuing wildcard certificates in January of 2018.

Tips :

openssl x509 -checkend 86400

helps you to check by script ($?) if cetificat will expire (or not) within the next 24 hours. And so, do not ask for renew if not required.
I suggest to schedule weekly the cerficiate renew due to the short time of the cert.

For OpenVPN I do not think official certificates are required because this is OpenVPN to check the validity of the client certificate. And I don't think letsencrypt provide client certificates or CA.

Servers only, validated by domain name: this excludes client certificates.

Can I use certificates from Let's Encrypt for code signing or email encryption?

No. Email encryption and code signing require a different type of certificate than Let's Encrypt will be issuing.

No other usage than servers.

For email, I guess it could be interesting however, I don't think letsencrypt provide client certificates..

You also should edit /etc/letsencrypt/renewal/<domaine>.conf to raise :

renew_before_expiry = 5 days

to a little higher value like 15 days.

Hi Taryck,
If you use Certbot, they recommend checking certificate validity automatically twice daily. I finf this a bit OTT as they issue a three month certificate and renew it after 2. I've just set a simple job in cron.daily and it looks after the renewal in the background.

OpenVPN is a red herring. I was thinking Letsencrypt replaces the root certificate and would then be used for signing OpenVPN certificates. That thought was way off the mark. Treat them as being independent. OpenVPN uses a weird validation as both the certificate and key must be in the client. I believe it then validated the certificate against the key then checks the CA is still the CA published by the OpenVPN server. It can also check for a CRL on the server, and that is it. It has a big down-side for ClearOS in that ClearOS OpenVPN is not configured to use CRL's and nor is the Certificate Manager so it means that once a certificate is issued it is impossible to invalidate it. There is a bug filed for this.

For e-mail, don't go there or at least not in the way I did. I tried it and regretted it. It is easy enough to configure the e-mail server to use the Letsencrypt certificates and the certbot renewal program allows you to fire a post-renewal script. This means you can easily restart postfix/cyrus/whatever when necessary. The problem is that this certificate renewal then invalidates your certificate in your e-mail clients and you have to go round updating the clients before you can receive e-mails again.

Hi Frank

Thank you for the details on creating the certificate. In order to create the certificate, do you need to have a registered domain name? Or do you you the ClearOS's domain name?

You can use any name which resolves back to your current IP address and you can use more than one name at the same time so I, for example, have a certificate which covers both howitts.poweredbyclear.com and www.howitts.co.uk (and a few others).

I use certbot to manage my certificates. Certificates are created under /etc/letsencrypt. Always point any app to the ones under /etc/letsencrypt/live as these symlink to the latest renewed ones under /etc/letsencrypt/archive which get renewed periodically.

Hi Nick

Thank you for your reply. When I use the ClearOS name, I am getting an error saying that the A/AAAA name does not exists. That suggest that I need a domain name?

What are you using to create your certificates? I am not sure why it is making comments about A or AAAA records. As far as I am aware all mine are CNAME records. What is important is that they resolve back to your IP address. Does your poweredbyclear.com FQDN resolve back to your IP address? Have a look in Webconfig > cloud > services > Dynamic DNS. Your fqdn is a combination of the subdomain and domain. If you do not like your subdomain, change it to something more memorable.

Hi Nick

Sorry to be pain. Still having issues. It is timing out. Whole load of errors but at the end it says: urn:acme:error:connection :: The server could not connect to the clien t to verify the domain :: Timeout

Any ideas?
Thank you

Which letsencrypt client are you using?
Which FQDN are you using?
Does it resolve back to your IP address?
Please also post the full error message between code tags? You can copy out of PuTTy just by selecting the text.

Do you have a web server currently listening on 80 or 443. I think you need to have one.

At the end of the day, google will be your friend.

Hi Nick

OK, got it working.At the end I specified the port 80, open the port 80 for the validation and that did the trick.

The whole idea of the certificate was to solve the webconfig certs, but that wasn't the case. Am I missing something? Or did I create the certificates for web server only?

It is probably slightly separate things. It looks like it needs somehow to be able to validate your IP address against the FQDN. Presumably it is doing some sort of http or https request to do this. The certificates you've created may possibly be used for the webconfig. If you do you, may need to use your poweredbyclear.com FQDN to access your webconfig and that means you'll need a hosts entry in your DNS server mapping it back to your LAN IP address, but I don't know for sure. I only use the certificate for my external web server.

Oh oh its broken somewhere! I used the above method for quit some time and now I installed the letsencrypt app it showed the certificates made before bet when I request a new one I get the following:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Could not choose appropriate plugin: Too many flags setting configurators/installers/authenticators 'webroot' -> 'apache'
Too many flags setting configurators/installers/authenticators 'webroot' -> 'apache'
Unfortunately also the old way is broken, somebody know what to do?

I've just tried it and it is a WFM, unfortunately. My letsencrypt.log file starts:

2018-01-05 14:10:12,676EBUG:certbot.main:certbot version: 0.19.0

2018-01-05 14:10:12,676EBUG:certbot.main:Arguments: ['--apache', '--agree-tos', '-n', '-m', '[email protected]', '-d', 'subcomain.howitts.co.uk']

2018-01-05 14:10:12,676EBUG:certbot.mainiscovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)

2018-01-05 14:10:12,702EBUG:certbot.log:Root logging level set at 20

2018-01-05 14:10:12,702:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log

2018-01-05 14:10:12,702EBUG:certbot.plugins.selection:Requested authenticator apache and installer apache

2018-01-05 14:10:12,996EBUG:certbot_apache.configurator:Apache version is 2.4.6

2018-01-05 14:10:13,191EBUG:certbot.plugins.selection:Single candidate plugin: * apache

Perhaps we need to unpick how you did your initial set up. I know mine broke when I tried setting a default web server (I never had on and just used files in /var/www/html) and ClearOS failed to create the bind mount from the default web site flexshare to /var/www/html.

What is in your /etc/httpd/conf.d/flex-443.conf and what is the result of:

findmnt | grep -e "\["

sed -e '/\s*#.*$/d' -e '/^\s*$/d' /etc/httpd/conf/httpd.conf

Please put the output in "code" tags so we can see it indented properly.

Have you set the immutable bit anywhere as it is mentioned in the thread?