3,250
edits
Changes
From SME Server
Jump to navigationJump to searchupdate configuration
There are several configuration database entries that need to be made in order to set up this contrib. Most of them tell the scripts which hostnames need to be part of your certificate.
There are several configuration database entries that need to be made in order to set up this contrib. Most of them tell the scripts which hostnames need to be part of your certificate.
====Hosts and domains for the certificate====
=== Rush jobs ===
for the test ('''adjust the domains and hosts'''):
config setprop letsencrypt ACCEPT_TERMS yes status test
#foreach of your domains you want SSL do the following
db domains setprop '''domain1.com''' letsencryptSSLcert enabled
#foreach of your hosts (subdomains) you want SSL do the following
db hosts setprop '''www.domain1.com''' letsencryptSSLcert enabled
signal-event smeserver-letsencrypt-update
dehydrated -c
config setprop letsencrypt ACCEPT_TERMS yes status test API 2
#foreach of your domains you want SSL do the following
db domains setprop '''domain1.com''' letsencryptSSLcert enabled
#foreach of your hosts (subdomains) you want SSL do the following
db hosts setprop '''www.domain1.com''' letsencryptSSLcert enabled
signal-event console-save
dehydrated -c
Check that the certificates are available ( your browser will still issue an error, but you can explore the content of the certificate to see that the Let's Encrypt test CA was used to sign your SSL certificate and that all your domains and hosts are in the "Certificate Subject Alt Name" property.
for the production ('''adjust your email'''):
config setprop letsencrypt status enabled email '''admin@domain1.com'''
signal-event smeserver-letsencrypt-update
dehydrated -c -x
config setprop letsencrypt status enabled email '''admin@domain1.com'''
signal-event console-save
dehydrated -c -x
===Step by step configuration=======Hosts and domains for the certificate====
This contrib will obtain a single certificate from Let's Encrypt. The certificate will include all the domains and hostnames that:
This contrib will obtain a single certificate from Let's Encrypt. The certificate will include all the domains and hostnames that:
* Are configured on your SME Server (e.g., through the Server Manager), and
* Are configured on your SME Server (e.g., through the Server Manager), and
* domain1.com
* domain1.com
** www.domain1.com
** mail.domain1.com
** ftp.domain1.com
* domain2.com
* domain2.com
** www.domain2.com
** mail.domain2.com
For each DOMAIN that you want to be included in the certificate, run this command:
For each DOMAIN that you want to be included in the certificate, run this command:
db domains setprop $DOMAIN letsencryptSSLcert enabled
db domains setprop $DOMAIN letsencryptSSLcert enabled
With the system configuration described above, setting this to "domains" will obtain a certificate covering domain1.com and domain2.com, but not www.domain1.com, etc. Setting it to "hosts" will obtain a certificate covering www.domain1.com, mail.domain1.com, ftp.domain1.com, etc., but not domain1.com or domain2.com. Setting this property to "all" will include all domain names and hostnames in the certificate. '''see [[Letsencrypt#Some_challenges_complete_successfully_but_some_hostnames_fail|NOTE]] before setting this to "all"'''
With the system configuration described above, setting this to "domains" will obtain a certificate covering domain1.com and domain2.com, but not www.domain1.com, etc. Setting it to "hosts" will obtain a certificate covering www.domain1.com, mail.domain1.com, ftp.domain1.com, etc., but not domain1.com or domain2.com. Setting this property to "all" will include all domain names and hostnames in the certificate. '''see [[Letsencrypt#Some_challenges_complete_successfully_but_some_hostnames_fail|NOTE]] before setting this to "all"'''
====Other configuration properties====
==== Enable test mode ====
After installing and configuring all the domains and hosts, the next step is to use test mode, which is enabled by default. This will obtain certificates from the staging server. The rate limits discussed in the introduction won't apply, so any errors or other issues won't prevent you from obtaining your production certificate. Enable test mode using this command:
config setprop letsencrypt status test
config setprop letsencrypt status test
signal-event console-save
signal-event console-save
If this runs without errors, try to connect to your server-manager page. You should see an error that the security certificate wasn't issued by a trusted certification authority; this is perfectly normal. However, there should be a certificate, it should include all the hostnames you wanted included, and it should be valid for the next ninety days. If this was successful, proceed to production.
If this runs without errors, try to connect to your server-manager page. You should see an error that the security certificate wasn't issued by a trusted certification authority; this is perfectly normal. However, there should be a certificate, it should include all the hostnames you wanted included, and it should be valid for the next ninety days. If this was successful, proceed to production.
===Enable Production Mode===
====Enable Production Mode====
Once you've successfully tested your installation, set it to production mode using these commands:
Once you've successfully tested your installation, set it to production mode using these commands:
Once you've obtained your certificate and configured your server, test your server with a tool like [https://www.ssllabs.com/ssltest/ SSLLabs.com] to make sure it's working properly.
Once you've obtained your certificate and configured your server, test your server with a tool like [https://www.ssllabs.com/ssltest/ SSLLabs.com] to make sure it's working properly.
===Archive old certificates===
====Archive old certificates====
A new function lets you cleanup old and archive old certificates.
A new function lets you cleanup old and archive old certificates.
dehydrated --cleanup (-gc)
dehydrated --cleanup (-gc)
===Rush jobs===
===Configuration properties===
{| class="wikitable"
!Key
!property
!default
!values
!
|-
| rowspan="10" |letsencrypt
|ACCEPT_TERMS
|
|empty, yes
|set to yes to accept terms of service, if left empty the contrib will not work.
|-
|API
|2
|1,2
|deprecated, will always be v2, as v1 is deprecated as per june 2021
|-
|configure
|none
|none,all,domains,hosts
|this will change the default behaviour on non explicitly domains or hosts with "letsencryptSSLcert enabled". By default will not be used, if hosts is set will ask a cert for all hosts, if domains is set will ask a cert for all domains, if all is set, will ask for both domains and hosts. In all situation it will ask a cert for domains/hosts where "letsencryptSSLcert enabled" is set and it is not set to "letsencryptSSLcert disabled"
|-
|email
|
|email
|enter the email to create account and recieve updates from Let's Encrypt
|-
|hookScript
|disabled
|enabled,disabled
|will trigger advanced hook script if enabled, even if disabled the part to signal-event ssl-update to propagate the cert will run.
|-
|hostOverride
|disabled
|yes,disabled
|default disabled, if disabled will only ask cert for hosts (if selected accodring to configure and "letsencryptSSLcert enabled") for hosts with type=Self. If set to yes will include any listed hosts wether remote or local.
|-
|keysize
|4096
|base 2 number
|length of your certificate's private key, if you don't want the '''default of 4096''' bits. This should not be necessary in most cases, but if desired, use this command to do so:
|-
|
|
|
|
|-
|
|
|
|
|-
|status
|test
|enabled,disabled,test
|default status is disabled, '''First set it to test''' to connect to the test server of let's Encrypt to check if your server is well configured. After checking everything is ok, you can set it to enabled.
|}
== Troubleshooting ==
== Troubleshooting ==
