Issue
Letsencrypt ClearOS 7
Hello all,
I recently installed ClearOs and have several apps running now. What I wish to ask about is the use of generated SSL certificates.
I am taking advantage of the freely available open source LetsEncrypt SSL certificate generator product. (http://letsencrypt.org). The certificate has been installed successfully and used for other web based applications on my ClearOs install.
I would like to also use the generated certificate for port 81. Has anyone been able to do this?
kindest regards,
Frank
I recently installed ClearOs and have several apps running now. What I wish to ask about is the use of generated SSL certificates.
I am taking advantage of the freely available open source LetsEncrypt SSL certificate generator product. (http://letsencrypt.org). The certificate has been installed successfully and used for other web based applications on my ClearOs install.
I would like to also use the generated certificate for port 81. Has anyone been able to do this?
kindest regards,
Frank
In Webconfig
Share this post:
Responses (31)
-
Accepted Answer
Frank, I too am interested in seeing the community's response regarding the use and integration of the LetsEncrypt SSL certificate generator and the LetsEncrypt project in general. I am curious about the steps you chose to get the SSL working on your server.
Which client did you select?
Were you able to use Certificate Manager external certificate with the ClearOS Webconfig System Settings or did you use command line?
I haven't seen much discussion regarding LetsEncrypt and it's functionality with ClearOS 7; ironically I was researching this very subject when your post appeared in this forum.
Very interested in your input,
JD -
Accepted Answer
Hi,
I've made a cronjob for the automatic update which can maybe helpfull
letsencrypt.sh
#!/bin/bash
cd /usr/local/letsencrypt/
./letsencrypt-auto --config /etc/letsencrypt/cli.ini -d www.yourdomain.nl certonly
if [ $? -ne 0 ]
then
ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
echo -e "The Lets Encrypt Cert has not been renewed! \n \n" $ERRORLOG | mail -s "Lets Encrypt Cert Alert" [email protected]
else
service httpd stop
cp -f /etc/letsencrypt/live/yourdomain.nl/cert.pem /etc/clearos/certificate_manager.d/LetsEncrypt.crt
cp -f /etc/letsencrypt/live/yourdomain.nl/privkey.pem /etc/clearos/certificate_manager.d/LetsEncrypt.key
cp -f /etc/letsencrypt/live/yourdomain.nl/fullchain.pem /etc/clearos/certificate_manager.d/LetsEncrypt.intermediate
chown webconfig:webconfig /etc/clearos/certificate_manager.d/LetsEncrypt.crt
chown webconfig:webconfig /etc/clearos/certificate_manager.d/LetsEncrypt.key
chown webconfig:webconfig /etc/clearos/certificate_manager.d/LetsEncrypt.intermediate
chmod 600 /etc/clearos/certificate_manager.d/LetsEncrypt.crt
chmod 600 /etc/clearos/certificate_manager.d/LetsEncrypt.key
chmod 600 /etc/clearos/certificate_manager.d/LetsEncrypt.intermediate
service httpd restart
service webconfig restart
fi
exit 0
cli.ini
authenticator = webroot
webroot-path = /var/www/html
server = https://acme-v01.api.letsencrypt.org/directory
renew-by-default
agree-tos
email = [email protected]
Please share me your comments if you see some improvements -
Accepted Answer
Hi Frank,
Very interesting.
Can you give a smal howto regarding the step you took to get LetsEncrypt working. -
Accepted Answer
Certainly. I've used Letsencrypt on a couple of Unbuntu servers so the instructions were a little different. Needless to say those servers are scheduled to be changed to ClearOS.
I was able to get things going on my ClearOS install with thanks to the assistance from Marc Laporte and Xavier de Pedro at Wikisuite ( http://Avan.Tech http://wikisuite.org )
This will assume you are logged into the server via ssh as root.
Install git if you don't already have it.
yum install git
Ok time to install
cd /usr/local
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
service httpd stop
Now create your certificate. Replace yourdomainname with your domain name
sudo ./letsencrypt-auto certonly --standalone -d yourdomainname --debug
If all goes well you should receive the following message
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/yourdomainname/fullchain.pem. Your cert
will expire on ........ To obtain a new or tweaked version of
this certificate in the future, simply run letsencrypt-auto again.
To non-interactively renew *all* of your certificates, run
"letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
OK so now set up the web server to use the certificates.
vi /etc/httpd/conf.d/ssl.conf
change the following lines
SSLCertificateFile /etc/letsencrypt/live/yourdomainname/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomainname/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/yourdomainname/chain.pem
Restart your httpd service
service httpd restart
If everything goes well your https connection is now using the Letsencrypt certificate.
cheers,
Frank -
Accepted Answer
-
Accepted Answer
I'm following this with interest for when I go over to 7.x and note that certbot is available packaged from Epel so you possibly don't have to go down the git route. -
Accepted Answer
Can you maybe add the certificated in the webconfig ? https://server:81/app/certificate_manager/external/add
For the webconfig you need to add the certificates for port :443
/etc/httpd/conf.d/flex-443.conf is generated by webconfig automaticly. -
Accepted Answer
Non-flexshare websites, so possibly in /var/www/html and so on, I believe use certificates referenced from /etc/httpd/conf.d/ssl.conf. Flexshare web sites use /etc/httpd/conf.d/flex-443.conf, which, as you say, is generated automatically. This means you need to edit the file and point it to your new certificates then set the immutable bit so ClearOS can't change it - but you need to remember you've done it! -
Accepted Answer
Thanks for your reply Patrick
Patrick de Brabander wrote:
Can you maybe add the certificated in the webconfig ? https://server:81/app/certificate_manager/external/add
For the webconfig you need to add the certificates for port :443
/etc/httpd/conf.d/flex-443.conf is generated by webconfig automaticly.
Letsencrypt produces 4 files.
cert1.pem
chain1.pem
fullchain1.pem
privkey1.pem
The certificate manager is looking for
Certificate file which I suspect is cert1.pem
Key File which I suspect is privkey1.pem
Intermediate file which I suspect may be the fullchain1.pem??
It seems to be ok when I enter the information and adds it.
When I view it I get the following
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
xxx
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Validity
Not Before: Jun 20 19:50:00 2016 GMT
Not After : Sep 18 19:50:00 2016 GMT
Subject: CN=yourdomainname
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
bunch of stuff
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier: xxx
X509v3 Authority Key Identifier:
keyid: xxx
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org/
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS: xxx
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
User Notice:
Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
Signature Algorithm: sha256WithRSAEncryption
xxx
I looked in the /etc/httpd/conf.d directory but could not see a flex-443.conf file.
authnz_external.conf autoindex.conf php.conf README ssl.conf userdir.conf welcome.conf.rpmsave
authz_unixgroup.conf geoip.conf phpMyAdmin.conf roundcubemail.conf ssl.conf.rpmsave welcome.conf
It is mentioned that flex-443.conf is generated so I am wondering if there was something I did wrong. Perhaps I'm using the wrong files when adding an external certificate in the certificate manager.??
Kindest regards,
Frank -
Accepted Answer
-
Accepted Answer
Adding the certificate files into webconfig worked for my default website.
Webconfig will adjust the .conf file with the new ceritifcates
For the webconfig (port 81) see also : post
ClearOS Webconfig
We need to edit a file in clearos.
/usr/clearos/sandbox/etc/httpd/conf.d/framework.conf
replace :
SSLCertificateFile /etc/pki/tls/certs/domain.crt
SSLCertificateKeyFile /etc/pki/tls/certs/domain.key
with:
SSLCertificateFile /etc/clearos/certificate_manager.d/LetsEncrypt.crt
SSLCertificateKeyFile /etc/clearos/certificate_manager.d/LetsEncrypt.key
`
(name and location is made by webconfig after addind the certificates
Restart clearos webconfig
service webconfig restart
Now i need to make a cronjob for the 2 monthly update !! -
Accepted Answer
Hi Patrick,
Just an idea, but instead of copying the files between /etc/letsencrypt/live/www.yourdomain.nl/ and/etc/clearos/certificate_manager.d/ and adjusting ownership and permissions, can you just symlink them? -
Accepted Answer
Nick Howitt wrote:
Hi Patrick,
Just an idea, but instead of copying the files between /etc/letsencrypt/live/www.yourdomain.nl/ and/etc/clearos/certificate_manager.d/ and adjusting ownership and permissions, can you just symlink them?
Hi Nick,
This crossed my mind, but since the permissions and afraid of breaking something with webconifg i've choosen this option.
How is the certificate handled voor WWW and non-WWW domains ?
Do i need 2 certificates ?
FOUND it:
./letsencrypt-auto --config /etc/letsencrypt/cli.ini -d www.yourdomain.nl -d yourdomain.nl certonly
You can make both certificates and they will combine it in 1 -
Accepted Answer
Patrick de Brabander wrote:
Hi,
I've made a cronjob for the automatic update which can maybe helpfull
I am trying to figure how this cronjob works do you have to make a file somewhere or edit a file please share some more info, I got it all working accept the cronjob for the auto renewal.
Thanks -
Accepted Answer
Lex Vroemen wrote:
Patrick de Brabander wrote:
Hi,
I've made a cronjob for the automatic update which can maybe helpfull
I am trying to figure how this cronjob works do you have to make a file somewhere or edit a file please share some more info, I got it all working accept the cronjob for the auto renewal.
Thanks
Hello lex,
You must edit /etc/crontab and add the following line:
0 4 1 */2 * root /PATH/letsencrypt.sh >> /var/log/letsencrypt
Location (PATH) of the script file is depending on where you have put the script.
Also the frequency of the execution of the script. It is now set to every 2 months. -
Accepted Answer
-
Accepted Answer
Nick Howitt wrote:
@Patrick,
Interesting. How does this work? Do you set LetsEncrypt as the CA? If so, how do you generate user certificates for thing like OpenVPN? I can't find any documentation on it.
Please feel free to take this question privately if you don't think it lives here.
Nick
Hi Nick,
In reply of another thread (LINK.)
I'm not using OpenVPN, but i'm using the SSL Certificate for my HTTPS connections.
How can i test the user certificates ? if you can me a help i can test this for you. -
Accepted Answer
I am trying to imagine how this would work. Presumably you've used a LetsEncrypt CA, but ClearOS generates its own certificates for postfix (/etc/postfix/cert.pem and/etc/postfix/key.pem), cyrus-imap (/etc/postfix/cert.pem and /etc/postfix/key.pem but I don't know which CA it uses) and so on. OpenVPN generates certificates for each user. I would not have thought ClearOS could sign LetsEncrypt certificates so I'd love to know how this works. It would be good if it were documented.
I'm hoping to have a scratch server that I can tinker around with soon. I'll have to have a little play.
It would be nice if this feature were documented, of it it is documented, it would be good if I could find the document.
[edit]
Also, how does ClearOS handle the renewal?
[/edit] -
Accepted Answer
Nick Howitt wrote:
I am trying to imagine how this would work. Presumably you've used a LetsEncrypt CA, but ClearOS generates its own certificates for postfix (/etc/postfix/cert.pem and/etc/postfix/key.pem), cyrus-imap (/etc/postfix/cert.pem and /etc/postfix/key.pem but I don't know which CA it uses) and so on. OpenVPN generates certificates for each user. I would not have thought ClearOS could sign LetsEncrypt certificates so I'd love to know how this works. It would be good if it were documented.
I'm hoping to have a scratch server that I can tinker around with soon. I'll have to have a little play.
It would be nice if this feature were documented, of it it is documented, it would be good if I could find the document.
[edit]
Also, how does ClearOS handle the renewal?
[/edit]
Nick,
I've found this on the web :
https://forums.openvpn.net/viewtopic.php?t=20973
https://www.sideras.net/lets-encrypt-https-certificates-for-openvpn-as-access-server/
Does this help you ? Is this what you are looking for ? -
Accepted Answer
Hi all,
News from letsencrypt.org : Wildcard Certificates Coming January 2018
Let’s Encrypt will begin issuing wildcard certificates in January of 2018.
Tips :
openssl x509 -checkend 86400
helps you to check by script ($?) if cetificat will expire (or not) within the next 24 hours. And so, do not ask for renew if not required.
I suggest to schedule weekly the cerficiate renew due to the short time of the cert.
For OpenVPN I do not think official certificates are required because this is OpenVPN to check the validity of the client certificate. And I don't think letsencrypt provide client certificates or CA.
Servers only, validated by domain name: this excludes client certificates.
Can I use certificates from Let's Encrypt for code signing or email encryption?
No. Email encryption and code signing require a different type of certificate than Let's Encrypt will be issuing.
No other usage than servers.
For email, I guess it could be interesting however, I don't think letsencrypt provide client certificates..
You also should edit /etc/letsencrypt/renewal/<domaine>.conf to raise :
renew_before_expiry = 5 days
to a little higher value like 15 days. -
Accepted Answer
Hi Taryck,
If you use Certbot, they recommend checking certificate validity automatically twice daily. I finf this a bit OTT as they issue a three month certificate and renew it after 2. I've just set a simple job in cron.daily and it looks after the renewal in the background.
OpenVPN is a red herring. I was thinking Letsencrypt replaces the root certificate and would then be used for signing OpenVPN certificates. That thought was way off the mark. Treat them as being independent. OpenVPN uses a weird validation as both the certificate and key must be in the client. I believe it then validated the certificate against the key then checks the CA is still the CA published by the OpenVPN server. It can also check for a CRL on the server, and that is it. It has a big down-side for ClearOS in that ClearOS OpenVPN is not configured to use CRL's and nor is the Certificate Manager so it means that once a certificate is issued it is impossible to invalidate it. There is a bug filed for this.
For e-mail, don't go there or at least not in the way I did. I tried it and regretted it. It is easy enough to configure the e-mail server to use the Letsencrypt certificates and the certbot renewal program allows you to fire a post-renewal script. This means you can easily restart postfix/cyrus/whatever when necessary. The problem is that this certificate renewal then invalidates your certificate in your e-mail clients and you have to go round updating the clients before you can receive e-mails again. -
Accepted Answer
You can use any name which resolves back to your current IP address and you can use more than one name at the same time so I, for example, have a certificate which covers both howitts.poweredbyclear.com and www.howitts.co.uk (and a few others).
I use certbot to manage my certificates. Certificates are created under /etc/letsencrypt. Always point any app to the ones under /etc/letsencrypt/live as these symlink to the latest renewed ones under /etc/letsencrypt/archive which get renewed periodically. -
Accepted Answer
What are you using to create your certificates? I am not sure why it is making comments about A or AAAA records. As far as I am aware all mine are CNAME records. What is important is that they resolve back to your IP address. Does your poweredbyclear.com FQDN resolve back to your IP address? Have a look in Webconfig > cloud > services > Dynamic DNS. Your fqdn is a combination of the subdomain and domain. If you do not like your subdomain, change it to something more memorable. -
Accepted Answer
Which letsencrypt client are you using?
Which FQDN are you using?
Does it resolve back to your IP address?
Please also post the full error message between code tags? You can copy out of PuTTy just by selecting the text.
Do you have a web server currently listening on 80 or 443. I think you need to have one.
At the end of the day, google will be your friend. -
Accepted Answer
Hi Nick
OK, got it working.At the end I specified the port 80, open the port 80 for the validation and that did the trick.
The whole idea of the certificate was to solve the webconfig certs, but that wasn't the case. Am I missing something? Or did I create the certificates for web server only? -
Accepted Answer
It is probably slightly separate things. It looks like it needs somehow to be able to validate your IP address against the FQDN. Presumably it is doing some sort of http or https request to do this. The certificates you've created may possibly be used for the webconfig. If you do you, may need to use your poweredbyclear.com FQDN to access your webconfig and that means you'll need a hosts entry in your DNS server mapping it back to your LAN IP address, but I don't know for sure. I only use the certificate for my external web server. -
Accepted Answer
Oh oh its broken somewhere! I used the above method for quit some time and now I installed the letsencrypt app it showed the certificates made before bet when I request a new one I get the following:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Could not choose appropriate plugin: Too many flags setting configurators/installers/authenticators 'webroot' -> 'apache'
Too many flags setting configurators/installers/authenticators 'webroot' -> 'apache'
Unfortunately also the old way is broken, somebody know what to do? -
Accepted Answer
I've just tried it and it is a WFM, unfortunately. My letsencrypt.log file starts:2018-01-05 14:10:12,676EBUG:certbot.main:certbot version: 0.19.0
2018-01-05 14:10:12,676EBUG:certbot.main:Arguments: ['--apache', '--agree-tos', '-n', '-m', '[email protected]', '-d', 'subcomain.howitts.co.uk']
2018-01-05 14:10:12,676EBUG:certbot.mainiscovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-01-05 14:10:12,702EBUG:certbot.log:Root logging level set at 20
2018-01-05 14:10:12,702:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-01-05 14:10:12,702EBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2018-01-05 14:10:12,996EBUG:certbot_apache.configurator:Apache version is 2.4.6
2018-01-05 14:10:13,191EBUG:certbot.plugins.selection:Single candidate plugin: * apache
Perhaps we need to unpick how you did your initial set up. I know mine broke when I tried setting a default web server (I never had on and just used files in /var/www/html) and ClearOS failed to create the bind mount from the default web site flexshare to /var/www/html.
What is in your /etc/httpd/conf.d/flex-443.conf and what is the result of:
Please put the output in "code" tags so we can see it indented properly.findmnt | grep -e "\["
sed -e '/\s*#.*$/d' -e '/^\s*$/d' /etc/httpd/conf/httpd.conf
Have you set the immutable bit anywhere as it is mentioned in the thread?
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »