Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
HTTPS Certificate: Letsencrypt not working
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
ebnerjoh
Tux's lil' helper
Tux's lil' helper


Joined: 27 Oct 2006
Posts: 83

PostPosted: Sun Feb 12, 2017 1:35 pm    Post subject: HTTPS Certificate: Letsencrypt not working Reply with quote

Hi,

I am running my own OwnCloud instance since a couple of years and I was using StartSSL for my HTTPS Connection. Because Chrome and Firefox are not trusting StartSSL anymore I was searching for an alternative solution and found the follwoing how-to:

https://wiki.gentoo.org/wiki/Let%27s_Encrypt

I followed the howto, but when I try to create the Certificate with acme-tiny I am getting the following error:

Code:
/usr/bin/acme-tiny --account-key account.key --csr domain.csr --acme-dir /var/www/localhost/acme-challenge/ > signed.crt
Parsing account key...
Parsing CSR...
Traceback (most recent call last):
  File "/usr/lib/python-exec/python3.4/acme-tiny", line 11, in <module>
    load_entry_point('acme-tiny==0.1.dev79+ndaba51d.d20170212', 'console_scripts', 'acme-tiny')()
  File "/usr/lib64/python3.4/site-packages/acme_tiny.py", line 198, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.account_email, log=LOGGER, CA=args.ca)
  File "/usr/lib64/python3.4/site-packages/acme_tiny.py", line 70, in get_crt
    raise IOError("Error loading {0}: {1}".format(csr, err))
OSError: Error loading domain.csr: b"domain.csr: No such file or directory\n139640932869784:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('domain.csr','r')\n139640932869784:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:\n"


What could I do wrong?

Other question: Is there another alternative for getting SSL Certificate? 10 Euro per year would be ok for my private usage...

Br,
Johannes
Back to top
View user's profile Send private message
ebnerjoh
Tux's lil' helper
Tux's lil' helper


Joined: 27 Oct 2006
Posts: 83

PostPosted: Sun Feb 12, 2017 2:50 pm    Post subject: Reply with quote

Ok,

I was checking the "Discussion" Site and found there the solution. It is working now.

Br,
Johannes
Back to top
View user's profile Send private message
skunk
l33t
l33t


Joined: 28 May 2003
Posts: 640
Location: granada, spain

PostPosted: Sun Feb 12, 2017 3:10 pm    Post subject: Re: HTTPS Certificate: Letsencrypt not working Reply with quote

ebnerjoh wrote:

Code:
OSError: Error loading domain.csr: b"domain.csr: No such file or directory\n139640932869784:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('domain.csr','r')\n139640932869784:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:\n"


as the error message says it fails to open domain.csr, does it exist?
on the wiki page it states:
Quote:

Create an account key, domain key and a CSR (replace www.example.co.uk with your host name):

but then there is no command for creating the csr which should look like this:
Code:

openssl req -new -sha256 -key domain.key -out domain.csr

i've never used app-crypt/acme-tiny, i use the official let's encrypt client app-crypt/certbot which is easy and fast for both new certificates and renewals:
Code:

certbot certonly --webroot -w /path/to/document/root -d domain.tld
certbot renew
Back to top
View user's profile Send private message
ebnerjoh
Tux's lil' helper
Tux's lil' helper


Joined: 27 Oct 2006
Posts: 83

PostPosted: Sun Feb 12, 2017 3:44 pm    Post subject: Reply with quote

Thanks,

Certbot is working fine.

I will add it into crontab for renewal (daily). I guess I have to restart apache after renewal?

Br,
Johannes
Back to top
View user's profile Send private message
skunk
l33t
l33t


Joined: 28 May 2003
Posts: 640
Location: granada, spain

PostPosted: Sun Feb 12, 2017 3:59 pm    Post subject: Reply with quote

monthly would be enough and yes, you've to reload apache...
Back to top
View user's profile Send private message
Elleni
l33t
l33t


Joined: 23 May 2006
Posts: 737

PostPosted: Wed May 31, 2017 12:17 am    Post subject: Reply with quote

Because of renewal by cron (certbot renew) I would like to know, how I can configure that apache, dovecot and postfix are restarted automatically after the certificate update.
Back to top
View user's profile Send private message
Fitzcarraldo
Veteran
Veteran


Joined: 30 Aug 2008
Posts: 1630
Location: United Kingdom

PostPosted: Wed May 31, 2017 4:17 am    Post subject: Reply with quote

Elleni wrote:
Because of renewal by cron (certbot renew) I would like to know, how I can configure that apache, dovecot and postfix are restarted automatically after the certificate update.


certbot incudes hooks to run scripts, so you could do something similar to the following:

Code:
certbot renew --renew-hook /path/to/renew-hook-script

That should only run the script renew-hook-script once each time the SSL certificate is actually renewed. In the script you could include commands such as the following to restart Apache:

Code:
apachectl graceful

_________________
Clevo W230SS: amd64 OpenRC elogind nvidia-drivers & xf86-video-intel.
Compal NBLB2: ~amd64 OpenRC elogind xf86-video-ati. Dual boot Win 7 Pro 64-bit.
KDE on both.

Fitzcarraldo's blog
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3647
Location: Hamburg

PostPosted: Wed May 31, 2017 7:17 am    Post subject: Reply with quote

skunk wrote:
monthly would be enough
Weekly would be better - if -for some reason- 2 updates do fail in a row, then the next call might be too late.
Back to top
View user's profile Send private message
Fitzcarraldo
Veteran
Veteran


Joined: 30 Aug 2008
Posts: 1630
Location: United Kingdom

PostPosted: Wed May 31, 2017 11:32 am    Post subject: Reply with quote

toralf wrote:
skunk wrote:
monthly would be enough
Weekly would be better - if -for some reason- 2 updates do fail in a row, then the next call might be too late.

The 'certbot renew' command only renews certificates that are near expiry, so it can be run as frequently as you want - since it will usually take no action. My crontab job runs it twice daily and redirects the stdout output to a logfile (optional), which contains e.g. the following if there is no need to renew the certificate:

Code:
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/example.com.conf
-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted.

_________________
Clevo W230SS: amd64 OpenRC elogind nvidia-drivers & xf86-video-intel.
Compal NBLB2: ~amd64 OpenRC elogind xf86-video-ati. Dual boot Win 7 Pro 64-bit.
KDE on both.

Fitzcarraldo's blog
Back to top
View user's profile Send private message
Elleni
l33t
l33t


Joined: 23 May 2006
Posts: 737

PostPosted: Wed May 31, 2017 4:24 pm    Post subject: Reply with quote

Hello all,

thanks for replies, thats elegant, so I setup a small script with:

Code:
/etc/init.d/apache2 restart && /etc/init.d/dovecot restart && /etc/init.d/postfix restart


and add a cronjob of certbot renew --renew-hook /path/to/renew-hook-script

Perfect :)
Back to top
View user's profile Send private message
chiefbag
Guru
Guru


Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom

PostPosted: Wed Jun 14, 2017 3:18 pm    Post subject: Reply with quote

Quote:

Code:
/etc/init.d/apache2 restart && /etc/init.d/dovecot restart && /etc/init.d/postfix restart



You should break them out into separate scripts/commands or add error handling to the above command if your worried about stuff failing.
Back to top
View user's profile Send private message
Elleni
l33t
l33t


Joined: 23 May 2006
Posts: 737

PostPosted: Mon Jun 26, 2017 9:45 pm    Post subject: Reply with quote

how would I do that ?
Back to top
View user's profile Send private message
chiefbag
Guru
Guru


Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom

PostPosted: Tue Jun 27, 2017 7:14 am    Post subject: Reply with quote

Quote:
Code:
/etc/init.d/apache2 restart && /etc/init.d/dovecot restart && /etc/init.d/postfix restart


The following would be an improvement on your above "/path/to/renew-hook-script" script, for if a command preceding "&&" fails the commands following will not be executed in your current script.
This could be further improved on by adding checking of the return code for each command and either notifying and or retrying upon error.

Code:
#!/bin/bash
echo "Command 1"
/etc/init.d/apache2 restart
echo "Command 2"
/etc/init.d/dovecot restart
echo "Command 3"
/etc/init.d/postfix restart
Back to top
View user's profile Send private message
Syl20
Guru
Guru


Joined: 04 Aug 2005
Posts: 547
Location: France

PostPosted: Wed Jun 28, 2017 6:44 am    Post subject: Reply with quote

At worst, replace "&&" with ";". "command 1 && command 2" means command 2 is executed only if command 1 ends without error (return code = 0).
Back to top
View user's profile Send private message
Elleni
l33t
l33t


Joined: 23 May 2006
Posts: 737

PostPosted: Fri Jul 07, 2017 1:34 pm    Post subject: Reply with quote

oh, I see! Thanks for suggestions :)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum