Letsencrypt

From SME Server
Jump to navigation Jump to search
Warning.png Work in Progress:
This page is a Work in Progress. The contents off this page may be in flux, please have a look at this page history the to see list of changes.


PythonIcon.png Skill level: Advanced
The instructions on this page may require deviations from standard procedures. A good understanding of linux and Koozali SME Server is recommended.


Warning.png Warning:
This procedure change the default certificates and could significantly compromise your server's security.
Thorough understanding of linux system management is required.

Proceed at your own risk


Introduction

Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open. It's main purpose is to allow people to encrypt the internet traffic by a very simple system.

The certs delivered must be renewed every 3 months.

Installation

For the installation of Letsencrypt, the initial generation of the certificates and periodically re-new the authority certificates, at minimum Python version 2.7 is required. By default SME Server comes with a lower version, but below instruction will enable you to install version 2.7 in a 'supported' way, next to the default SME Server Python version. The newly installed Python version 2.7 will then only be used (after initial installation) for the renewal of the certificates (periodically and mandatory every 3 months).

Follow the instructions at Software_Collections and the python related wiki page specifically. You need to add the scl-repository for Python 2.7 that can be found here

Then:

yum install python27 --enablerepo=scl-python27
yum install git


  Note:
We need to see if installing GIT is really required, for the GIT version is also available as a ZIP file. The less we install, the better.


To use Let's Encrypt run:

scl enable python27 bash
cd /opt
git clone https://github.com/letsencrypt/letsencrypt.git
cd letsencrypt
service httpd-e-smith stop
./letsencrypt-auto certonly --standalone --email me@mydomain.co.uk -d test.firstdomain.co.uk -d seconddomain.co.uk -d www.seconddomain.co.uk

Replacing email and domains as required. Then configure SME with the certificates generated:

config setprop modSSL crt /etc/letsencrypt/live/test.firstdomain.co.uk/cert.pem
config setprop modSSL key /etc/letsencrypt/live/test.firstdomain.co.uk/privkey.pem
config setprop modSSL CertificateChainFile /etc/letsencrypt/live/test.firstdomain.co.uk/fullchain.pem
signal-event domain-modify; signal-event email-update


  Note:
We need to see if setting the above db variables disturbs other SME Server default functionality and contribs that work with certificates such as VPN solutions.


Renew of the certs

The following script will automatically renew your certificate. Save it in a convenient place, for example, /opt/letsencrypt-renew.sh;dont forget du chmod +x the file

#!/bin/bash
source /opt/rh/python27/enable
export X_SCLS="`scl enable python27 'echo $X_SCLS'`"
/sbin/service httpd-e-smith stop
/opt/letsencrypt/letsencrypt-auto certonly --standalone --renew-by-default --email me@mydomain.co.uk \
 -d test.firstdomain.co.uk -d seconddomain.co.uk -d www.seconddomain.co.uk 
/sbin/e-smith/signal-event domain-modify
/sbin/e-smith/signal-event email-update
/sbin/e-smith/signal-event ibay-modify

You may want to set this up as a cron job to run every two months, to make sure your certificate doesn't expire. Please see Crontab_Manager contrib for an easy way to achieve this. Or, to set this from the command line, do the following:

mkdir -p /etc/e-smith/templates-custom/etc/crontab
nano /etc/e-smith/templates-custom/etc/crontab/sslrenew

The following example will run the renewal script at 22:48 on the third of every other month (Feb, Apr, Jun, etc.):

48 22 3 */2 * root /opt/letsencrypt-renew.sh

then expand and restart

expand-template /etc/crontab
service crond restart

The time and day of the month can be chosen at your discretion--I've deliberately chosen a time that isn't at the top or bottom of the hour, or on the first of the month, in the hope of reducing load on letsencrypt's servers. Since the certificates are good for 90 days, this will renew your certificate in plenty of time.

Backup

Your certificate, private key, and other important information are stored in /etc/letsencrypt, which is not included in the standard SME Server backup routines. Make sure to add this directory to your backups. See, e.g., Backup with dar if you're using the workstation backup feature.

Source from info

Source: http://forums.contribs.org/index.php/topic,51961.msg266680.html#msg266680