View previous topic :: View next topic |
Author |
Message |
ebnerjoh Tux's lil' helper
Joined: 27 Oct 2006 Posts: 83
|
Posted: Sun Feb 12, 2017 1:35 pm Post subject: HTTPS Certificate: Letsencrypt not working |
|
|
Hi,
I am running my own OwnCloud instance since a couple of years and I was using StartSSL for my HTTPS Connection. Because Chrome and Firefox are not trusting StartSSL anymore I was searching for an alternative solution and found the follwoing how-to:
https://wiki.gentoo.org/wiki/Let%27s_Encrypt
I followed the howto, but when I try to create the Certificate with acme-tiny I am getting the following error:
Code: | /usr/bin/acme-tiny --account-key account.key --csr domain.csr --acme-dir /var/www/localhost/acme-challenge/ > signed.crt
Parsing account key...
Parsing CSR...
Traceback (most recent call last):
File "/usr/lib/python-exec/python3.4/acme-tiny", line 11, in <module>
load_entry_point('acme-tiny==0.1.dev79+ndaba51d.d20170212', 'console_scripts', 'acme-tiny')()
File "/usr/lib64/python3.4/site-packages/acme_tiny.py", line 198, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.account_email, log=LOGGER, CA=args.ca)
File "/usr/lib64/python3.4/site-packages/acme_tiny.py", line 70, in get_crt
raise IOError("Error loading {0}: {1}".format(csr, err))
OSError: Error loading domain.csr: b"domain.csr: No such file or directory\n139640932869784:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('domain.csr','r')\n139640932869784:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:\n"
|
What could I do wrong?
Other question: Is there another alternative for getting SSL Certificate? 10 Euro per year would be ok for my private usage...
Br,
Johannes |
|
Back to top |
|
|
ebnerjoh Tux's lil' helper
Joined: 27 Oct 2006 Posts: 83
|
Posted: Sun Feb 12, 2017 2:50 pm Post subject: |
|
|
Ok,
I was checking the "Discussion" Site and found there the solution. It is working now.
Br,
Johannes |
|
Back to top |
|
|
skunk l33t
Joined: 28 May 2003 Posts: 646 Location: granada, spain
|
Posted: Sun Feb 12, 2017 3:10 pm Post subject: Re: HTTPS Certificate: Letsencrypt not working |
|
|
ebnerjoh wrote: |
Code: | OSError: Error loading domain.csr: b"domain.csr: No such file or directory\n139640932869784:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('domain.csr','r')\n139640932869784:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:\n"
|
|
as the error message says it fails to open domain.csr, does it exist?
on the wiki page it states:
Quote: |
Create an account key, domain key and a CSR (replace www.example.co.uk with your host name):
|
but then there is no command for creating the csr which should look like this:
Code: |
openssl req -new -sha256 -key domain.key -out domain.csr
|
i've never used app-crypt/acme-tiny, i use the official let's encrypt client app-crypt/certbot which is easy and fast for both new certificates and renewals:
Code: |
certbot certonly --webroot -w /path/to/document/root -d domain.tld
certbot renew
|
|
|
Back to top |
|
|
ebnerjoh Tux's lil' helper
Joined: 27 Oct 2006 Posts: 83
|
Posted: Sun Feb 12, 2017 3:44 pm Post subject: |
|
|
Thanks,
Certbot is working fine.
I will add it into crontab for renewal (daily). I guess I have to restart apache after renewal?
Br,
Johannes |
|
Back to top |
|
|
skunk l33t
Joined: 28 May 2003 Posts: 646 Location: granada, spain
|
Posted: Sun Feb 12, 2017 3:59 pm Post subject: |
|
|
monthly would be enough and yes, you've to reload apache... |
|
Back to top |
|
|
Elleni Veteran
Joined: 23 May 2006 Posts: 1270
|
Posted: Wed May 31, 2017 12:17 am Post subject: |
|
|
Because of renewal by cron (certbot renew) I would like to know, how I can configure that apache, dovecot and postfix are restarted automatically after the certificate update. |
|
Back to top |
|
|
Fitzcarraldo Advocate
Joined: 30 Aug 2008 Posts: 2034 Location: United Kingdom
|
Posted: Wed May 31, 2017 4:17 am Post subject: |
|
|
Elleni wrote: | Because of renewal by cron (certbot renew) I would like to know, how I can configure that apache, dovecot and postfix are restarted automatically after the certificate update. |
certbot incudes hooks to run scripts, so you could do something similar to the following:
Code: | certbot renew --renew-hook /path/to/renew-hook-script |
That should only run the script renew-hook-script once each time the SSL certificate is actually renewed. In the script you could include commands such as the following to restart Apache:
_________________ Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog |
|
Back to top |
|
|
toralf Developer
Joined: 01 Feb 2004 Posts: 3922 Location: Hamburg
|
Posted: Wed May 31, 2017 7:17 am Post subject: |
|
|
skunk wrote: | monthly would be enough | Weekly would be better - if -for some reason- 2 updates do fail in a row, then the next call might be too late. |
|
Back to top |
|
|
Fitzcarraldo Advocate
Joined: 30 Aug 2008 Posts: 2034 Location: United Kingdom
|
Posted: Wed May 31, 2017 11:32 am Post subject: |
|
|
toralf wrote: | skunk wrote: | monthly would be enough | Weekly would be better - if -for some reason- 2 updates do fail in a row, then the next call might be too late. |
The 'certbot renew' command only renews certificates that are near expiry, so it can be run as frequently as you want - since it will usually take no action. My crontab job runs it twice daily and redirects the stdout output to a logfile (optional), which contains e.g. the following if there is no need to renew the certificate:
Code: | -------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/example.com.conf
-------------------------------------------------------------------------------
The following certs are not due for renewal yet:
/etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted. |
_________________ Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog |
|
Back to top |
|
|
Elleni Veteran
Joined: 23 May 2006 Posts: 1270
|
Posted: Wed May 31, 2017 4:24 pm Post subject: |
|
|
Hello all,
thanks for replies, thats elegant, so I setup a small script with:
Code: | /etc/init.d/apache2 restart && /etc/init.d/dovecot restart && /etc/init.d/postfix restart |
and add a cronjob of certbot renew --renew-hook /path/to/renew-hook-script
Perfect |
|
Back to top |
|
|
chiefbag Guru
Joined: 01 Oct 2010 Posts: 542 Location: The Kingdom
|
Posted: Wed Jun 14, 2017 3:18 pm Post subject: |
|
|
Quote: |
Code: | /etc/init.d/apache2 restart && /etc/init.d/dovecot restart && /etc/init.d/postfix restart |
|
You should break them out into separate scripts/commands or add error handling to the above command if your worried about stuff failing. |
|
Back to top |
|
|
Elleni Veteran
Joined: 23 May 2006 Posts: 1270
|
Posted: Mon Jun 26, 2017 9:45 pm Post subject: |
|
|
how would I do that ? |
|
Back to top |
|
|
chiefbag Guru
Joined: 01 Oct 2010 Posts: 542 Location: The Kingdom
|
Posted: Tue Jun 27, 2017 7:14 am Post subject: |
|
|
Quote: | Code: | /etc/init.d/apache2 restart && /etc/init.d/dovecot restart && /etc/init.d/postfix restart |
|
The following would be an improvement on your above "/path/to/renew-hook-script" script, for if a command preceding "&&" fails the commands following will not be executed in your current script.
This could be further improved on by adding checking of the return code for each command and either notifying and or retrying upon error.
Code: | #!/bin/bash
echo "Command 1"
/etc/init.d/apache2 restart
echo "Command 2"
/etc/init.d/dovecot restart
echo "Command 3"
/etc/init.d/postfix restart |
|
|
Back to top |
|
|
Syl20 l33t
Joined: 04 Aug 2005 Posts: 619 Location: France
|
Posted: Wed Jun 28, 2017 6:44 am Post subject: |
|
|
At worst, replace "&&" with ";". "command 1 && command 2" means command 2 is executed only if command 1 ends without error (return code = 0). |
|
Back to top |
|
|
Elleni Veteran
Joined: 23 May 2006 Posts: 1270
|
Posted: Fri Jul 07, 2017 1:34 pm Post subject: |
|
|
oh, I see! Thanks for suggestions |
|
Back to top |
|
|
|