147
edits
Changes
Jump to navigation
Jump to search
Line 41:
Line 41: + + + + + Line 87:
Line 92: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
→Installation: add letsencrypt.sh instructions
== Installation ==
== Installation ==
Multiple clients are available for the Letsencrypt services. The official client from letsencrypt.org is quite full-featured, but has a number of dependencies that it needs to install. It also requires a newer version of Python than is included with a standard SME Server installation. SME Server 9.0 and later, in the 64-bit versions, support the use of Software Collections, which allow installation of Python 2.7 alongside the default Python 2.6 installation.
Users of SME Server 8.x, or those who would prefer a more lightweight client, can use an alternative. Letsencrypt.sh, documented below, is a shell script that requires no further dependencies that aren't installed by default on the SME Server.
=== Installation of Official Client ===
For the installation of Letsencrypt, the initial generation of the certificates and periodically re-new the authority certificates, at minimum Python version 2.7 is required. By default SME Server comes with a lower version, but below instruction will enable you to install version 2.7 in a 'supported' way, next to the default SME Server Python version. The newly installed Python version 2.7 will then only be used (after initial installation) for the renewal of the certificates (periodically and mandatory every 3 months).
For the installation of Letsencrypt, the initial generation of the certificates and periodically re-new the authority certificates, at minimum Python version 2.7 is required. By default SME Server comes with a lower version, but below instruction will enable you to install version 2.7 in a 'supported' way, next to the default SME Server Python version. The newly installed Python version 2.7 will then only be used (after initial installation) for the renewal of the certificates (periodically and mandatory every 3 months).
Once you've obtained your certificate and configured your server, test your server with a tool like [https://www.ssllabs.com/ssltest/ SSLLabs.com] to make sure it's working properly.
Once you've obtained your certificate and configured your server, test your server with a tool like [https://www.ssllabs.com/ssltest/ SSLLabs.com] to make sure it's working properly.
=== Installation of Letsencrypt.sh ===
Letsencrypt.sh is a lightweight alternative ACME client which will allow you to retrieve certificates from the Letsencrypt servers without needing to install any additional software on your server, other than git to download and install it. Begin by installing git:
yum install git
Then download the letsencrypt.sh client:
cd /etc
git clone https://github.com/lukas2511/letsencrypt.sh
You'll need to create two configuration files for letsencrypt.sh.
cd letsencrypt.sh
mkdir -p /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
nano -w domains.txt
In this file, you'll list every hostname that you want your certificate to cover, all on one line. It will look like this:
domain1.com www.domain1.com mail.domain1.com domain2.net www.domain2.net domain3.org ftp.domain3.org
Ctrl-X to exit, Y to save.
Second, you'll need to create the configuration file:
nano -w config.sh
It should look like this:
#!/bin/bash
# config.sh
WELLKNOWN=/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
# E-mail to use during the registration (default: <unset>)
CONTACT_EMAIL=admin@yourdomain.com
Ctrl-X to exit, Y to save.
You'll also need to create a custom template fragment for Apache:
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
nano -w /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts40ACME
The contents of that file should look like:
# Alias for letsencrypt
Alias /.well-known/acme-challenge /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
Again, Ctrl-X to exit, Y to save.
Expand the template and restart apache:
expand-template /etc/httpd/conf/httpd.conf
service httpd-e-smith restart
Now you're ready to run letsencrypt.sh and get your certificate.
/etc/letsencrypt.sh/letsencrypt.sh -c
The script will run for a moment and should report success. If it does, look in /etc/letsencrypt.sh/certs/YOURDOMAIN and see if you have your files there. You should see a number of .pem files, at least one .csr file, and five symbolic links (chain.pem, cert.csr, cert.pem, fullchain.pem, and privkey.pem). If you do, congratulations! You've successfully obtained your certificate.
Now you just need to configure your server to use the new certificate:
config setprop modSSL crt /etc/letsencrypt.sh/certs/yourdomain.com/cert.pem
config setprop modSSL key /etc/letsencrypt.sh/certs/yourdomain.com/privkey.pem
config setprop modSSL CertificateChainFile /etc/letsencrypt.sh/certs/yourdomain.com/chain.pem
signal-event post-upgrade && signal-event reboot
As above, once you've obtained your certificate and configured your server, test your server with a tool like [https://www.ssllabs.com/ssltest/ SSLLabs.com] to make sure it's working properly.
== Troubleshooting ==
== Troubleshooting ==