Letsencrypt

From SME Server
Jump to navigation Jump to search
Warning.png Work in Progress:
This page is a Work in Progress. The contents off this page may be in flux, please have a look at this page history the to see list of changes.


PythonIcon.png Skill level: Advanced
The instructions on this page may require deviations from standard procedures. A good understanding of linux and Koozali SME Server is recommended.


Warning.png Warning:
This procedure change the default certificates and could significantly compromise your server's security.
Thorough understanding of linux system management is required.

Proceed at your own risk


Introduction

Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open. It's main purpose is to allow people to encrypt the internet traffic by a very simple system.

The certs delivered must be renewed every 3 months.

Prerequisites

Your SME Server must be setup correctly with a FQDN and correctly setup DNS with your ISP. Your SME Server must also be connected to the internet, for the below procedure will interact with Letsencrypt servers. Make sure you've got this all setup correctly before continuing.

Installation

For the installation of Letsencrypt, the initial generation of the certificates and periodically re-new the authority certificates, at minimum Python version 2.7 is required. By default SME Server comes with a lower version, but below instruction will enable you to install version 2.7 in a 'supported' way, next to the default SME Server Python version. The newly installed Python version 2.7 will then only be used (after initial installation) for the renewal of the certificates (periodically and mandatory every 3 months).

Follow the instructions at Software_Collections and the python related wiki page specifically. You need to add the scl-repository for Python 2.7 that can be found here

To install Python 2.7:

yum install python27 --enablerepo=scl-python27

You can download the latest Letsencrypt code from their Github page either via GIT or as a ZIP file.

To download via GIT do:

yum install git
cd /opt
git clone https://github.com/letsencrypt/letsencrypt.git

To download as a ZIP do:

wget https://github.com/letsencrypt/letsencrypt/archive/master.zip -P /opt
unzip /opt/master.zip && mv /opt/letsencrypt-master /opt/letsencrypt
rm -f /opt/master.zip


To use Let's Encrypt run:

scl enable python27 bash
cd /opt/letsencrypt
service httpd-e-smith stop
./letsencrypt-auto certonly --standalone --email me@mydomain.co.uk -d test.firstdomain.co.uk -d seconddomain.co.uk -d www.seconddomain.co.uk

Replacing email and domains as required. Then configure SME with the certificates generated:

config setprop modSSL crt /etc/letsencrypt/live/test.firstdomain.co.uk/cert.pem
config setprop modSSL key /etc/letsencrypt/live/test.firstdomain.co.uk/privkey.pem
config setprop modSSL CertificateChainFile /etc/letsencrypt/live/test.firstdomain.co.uk/chain.pem
signal-event domain-modify; signal-event email-update


  Note:
We need to see if setting the above db variables disturbs other SME Server default functionality and contribs that work with certificates such as VPN solutions.


Renew of the certs

The following script will automatically renew your certificate. Save it in a convenient place, for example, /opt/letsencrypt-renew.sh;dont forget du chmod +x the file

#!/bin/bash
source /opt/rh/python27/enable
export X_SCLS="`scl enable python27 'echo $X_SCLS'`"
/sbin/service httpd-e-smith stop
/opt/letsencrypt/letsencrypt-auto certonly --standalone --renew-by-default --email me@mydomain.co.uk \
 -d test.firstdomain.co.uk -d seconddomain.co.uk -d www.seconddomain.co.uk 
/sbin/e-smith/signal-event domain-modify
/sbin/e-smith/signal-event email-update
/sbin/e-smith/signal-event ibay-modify


  Note:
The above commands enable Python 2.7, but do not disable it again


You may want to set this up as a cron job to run every two months, to make sure your certificate doesn't expire. Please see Crontab_Manager contrib for an easy way to achieve this. Or, to set this from the command line, do the following:

mkdir -p /etc/e-smith/templates-custom/etc/crontab
nano /etc/e-smith/templates-custom/etc/crontab/sslrenew

The following example will run the renewal script at 22:48 on the third of every other month (Feb, Apr, Jun, etc.):

48 22 3 */2 * root /opt/letsencrypt-renew.sh

then expand and restart

expand-template /etc/crontab
service crond restart

The time and day of the month can be chosen at your discretion--I've deliberately chosen a time that isn't at the top or bottom of the hour, or on the first of the month, in the hope of reducing load on letsencrypt's servers. Since the certificates are good for 90 days, this will renew your certificate in plenty of time.

Backup

Your certificate, private key, and other important information are stored in /etc/letsencrypt, which is not included in the standard SME Server backup routines. Make sure to add this directory to your backups. See, e.g., Backup with dar if you're using the workstation backup feature.

Source from info

Source: http://forums.contribs.org/index.php/topic,51961.msg266680.html#msg266680