EFA Let's Encrypt

Bugs in eFa 4
Post Reply
jamerson
Posts: 164
Joined: 19 Aug 2017 18:57
Location: kaaskop

EFA Let's Encrypt

Post by jamerson »

Hi Guys,
i just wanna share my experience with let's encrypt.
the Cron job to renew the certificate appearntly is not working.
i have disabled the job and reanbled it to generate the new certificate.

after this done the certificate become valid.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: EFA Let's Encrypt

Post by shawniverson »

Good to know. I will check and try to find out what is happening with the cron job.
jamerson
Posts: 164
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: EFA Let's Encrypt

Post by jamerson »

Today is the 3rd box SSL has been failed,
enabling it and disabling it solved the problem.
just wanna share it.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
warlord
Posts: 19
Joined: 16 May 2019 21:21

Re: EFA Let's Encrypt

Post by warlord »

Looking at the script that generates the crontab, there is a bug in the certbot cron job.
Specifically, certbot will require you to restart the applications after the certificate is renewed. That's why it appears not to work. You need a post-hook to restart httpd (and any other services).
On other systems I do this by the following files/scripts:

Code: Select all

# cat /etc/cron.weekly/certbot
/usr/bin/certbot renew  --quiet --pre-hook /usr/local/bin/certbot-pre --post-hook /usr/local/bin/certbot-post

# cat /usr/local/bin/certbot-pre
#!/bin/sh
/usr/bin/firewall-cmd --add-service http

# cat /usr/local/bin/certbot-post
#!/bin/sh
/usr/bin/firewall-cmd --remove-service http
/usr/sbin/service httpd force-reload
/usr/sbin/service postfix restart
Note that I restart postfix because, IMHO, postfix should accept TLS-based email and will need to be restarted when the certificate is renewed. I don't know if EFA configures that itself, but IMHO it should!
warlord
Posts: 19
Joined: 16 May 2019 21:21

Re: EFA Let's Encrypt

Post by warlord »

One more bug in EFA's Let's Encrypt integration.
When I enabled it, it created the new certificate but didn't restart httpd to have it take effect. I had to do that manually. Obviously this is related to the cert renewal issue above.
And, of course, even though postfix is configured for TLS, it does not use the L.E. key/certificate.
warlord
Posts: 19
Joined: 16 May 2019 21:21

Re: EFA Let's Encrypt

Post by warlord »

Hi,
I tracked down another certbot cron issue (see my post about the cron getpwnam errors).
Specifically, /etc/cron.d/certbotrenew is broken -- it's missing the username to run the script as.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: EFA Let's Encrypt

Post by shawniverson »

Testing now. I left off the port 80 on/off becuase port 80 is open by default on eFa4 to redirect to https, but I think I will test port 80 and then toggle it, but only if it is off to start with.
warlord
Posts: 19
Joined: 16 May 2019 21:21

Re: EFA Let's Encrypt

Post by warlord »

shawniverson wrote: 28 Jul 2019 15:31 Testing now. I left off the port 80 on/off becuase port 80 is open by default on eFa4 to redirect to https, but I think I will test port 80 and then toggle it, but only if it is off to start with.
I think it's safe to just leave that off if you think 80 is always open. But yeah, if 80 is off, you might need to open and close it, but I don't know how best to toggle that within the scripts.
Post Reply