How I did setup let's encrypt on my EFA

Questions and answers about how to do stuff
Post Reply
ressel
Posts: 27
Joined: 28 Nov 2014 11:59

How I did setup let's encrypt on my EFA

Post by ressel »

Hello,

I have just successfully setup Let's Encrypt on my EFA server.

This is how I did:

as root I ran following commands:

Code: Select all

mkdir /opt/certbot
cd /opt/certbot
wget https://dl.eff.org/certbot-auto --no-check-certificate
chmod a+x ./certbot-auto
then I executed certbot with

Code: Select all

./certbot-auto
and Now certbot takes care of everything for me.

Certbot did following commands, and I did not need to do anything here!

Code: Select all

# ./certbot-auto
Bootstrapping dependencies for RedHat-based OSes...
yum is /usr/bin/yum
Indlæste udvidelsesmoduler: fastestmirror, security
Opsætning af installationsprocessen
Loading mirror speeds from cached hostfile
 * EFA: dl2.efa-project.org
 * base: centosmirror.netcup.net
 * epel: mirror.23media.de
 * extras: centos.schlundtech.de
 * updates: mirror.23media.de
Pakke gcc-4.4.7-17.el6.x86_64 er allerede installeret i den nyeste version
Pakke augeas-libs-1.0.0-10.el6.x86_64 er allerede installeret i den nyeste versi                                                                                                                                                             on
Pakke openssl-1.0.1e-48.el6_8.3.x86_64 er allerede installeret i den nyeste vers                                                                                                                                                             ion
Pakke openssl-devel-1.0.1e-48.el6_8.3.x86_64 er allerede installeret i den nyest                                                                                                                                                             e version
Pakke redhat-rpm-config-9.0.3-51.el6.centos.noarch er allerede installeret i den                                                                                                                                                              nyeste version
Pakke ca-certificates-2015.2.6-65.0.1.el6_7.noarch er allerede installeret i den                                                                                                                                                              nyeste version
Pakke python-2.6.6-66.el6_8.x86_64 er allerede installeret i den nyeste version
Pakke 1:mod_ssl-2.2.15-54.el6.centos.x86_64 er allerede installeret i den nyeste                                                                                                                                                              version
Løser afhængigheder
--> Kører overførselskontrol
---> Package dialog.x86_64 0:1.1-9.20080819.1.el6 will be installeret
---> Package libffi-devel.x86_64 0:3.0.5-3.2.el6 will be installeret
---> Package python-devel.x86_64 0:2.6.6-66.el6_8 will be installeret
---> Package python-pip.noarch 0:7.1.0-1.el6 will be installeret
--> Behandler afhængighed: python-setuptools for pakken: python-pip-7.1.0-1.el6.                                                                                                                                                             noarch
---> Package python-tools.x86_64 0:2.6.6-66.el6_8 will be installeret
--> Behandler afhængighed: tkinter = 2.6.6-66.el6_8 for pakken: python-tools-2.6                                                                                                                                                             .6-66.el6_8.x86_64
---> Package python-virtualenv.noarch 0:1.10.1-1.el6 will be installeret
--> Kører overførselskontrol
---> Package python-setuptools.noarch 0:0.6.10-3.el6 will be installeret
---> Package tkinter.x86_64 0:2.6.6-66.el6_8 will be installeret
--> Behandler afhængighed: libtk8.5.so()(64bit) for pakken: tkinter-2.6.6-66.el6                                                                                                                                                             _8.x86_64
--> Behandler afhængighed: libtcl8.5.so()(64bit) for pakken: tkinter-2.6.6-66.el                                                                                                                                                             6_8.x86_64
--> Behandler afhængighed: libTix.so()(64bit) for pakken: tkinter-2.6.6-66.el6_8                                                                                                                                                             .x86_64
--> Kører overførselskontrol
---> Package tcl.x86_64 1:8.5.7-6.el6 will be installeret
---> Package tix.x86_64 1:8.4.3-5.el6 will be installeret
---> Package tk.x86_64 1:8.5.7-5.el6 will be installeret
--> Afsluttede afhængighedssøgningen

Afhængigheder løst

================================================================================
 Pakke                 Arkitektur Version                     Pakkearkiv  Større                                                                                                                                                             lse
================================================================================
Installerer:
 dialog                x86_64     1.1-9.20080819.1.el6        base        197 k
 libffi-devel          x86_64     3.0.5-3.2.el6               base         18 k
 python-devel          x86_64     2.6.6-66.el6_8              updates     173 k
 python-pip            noarch     7.1.0-1.el6                 epel        1.5 M
 python-tools          x86_64     2.6.6-66.el6_8              updates     871 k
 python-virtualenv     noarch     1.10.1-1.el6                epel        1.3 M
Installerer til afhængigheder:
 python-setuptools     noarch     0.6.10-3.el6                base        336 k
 tcl                   x86_64     1:8.5.7-6.el6               base        1.9 M
 tix                   x86_64     1:8.4.3-5.el6               base        252 k
 tk                    x86_64     1:8.5.7-5.el6               base        1.4 M
 tkinter               x86_64     2.6.6-66.el6_8              updates     258 k

Overførselsopsummering
================================================================================
Install      11 Package(s)

Total hentningsstørrelse: 8.2 M
Installed size: 23 M
Er dette o.k. [j/N]: j
Henter pakker:
(1/11): dialog-1.1-9.20080819.1.el6.x86_64.rpm           | 197 kB     00:00
(2/11): libffi-devel-3.0.5-3.2.el6.x86_64.rpm            |  18 kB     00:00
(3/11): python-devel-2.6.6-66.el6_8.x86_64.rpm           | 173 kB     00:00
(4/11): python-pip-7.1.0-1.el6.noarch.rpm                | 1.5 MB     00:00
(5/11): python-setuptools-0.6.10-3.el6.noarch.rpm        | 336 kB     00:00
(6/11): python-tools-2.6.6-66.el6_8.x86_64.rpm           | 871 kB     00:00
(7/11): python-virtualenv-1.10.1-1.el6.noarch.rpm        | 1.3 MB     00:00
(8/11): tcl-8.5.7-6.el6.x86_64.rpm                       | 1.9 MB     00:00
(9/11): tix-8.4.3-5.el6.x86_64.rpm                       | 252 kB     00:00
(10/11): tk-8.5.7-5.el6.x86_64.rpm                       | 1.4 MB     00:00
(11/11): tkinter-2.6.6-66.el6_8.x86_64.rpm               | 258 kB     00:00
--------------------------------------------------------------------------------
Ialt                                            7.5 MB/s | 8.2 MB     00:01
Kører rpm_check_debug
Kører overførselstest
Overførselstest afsluttet uden fejl
Kører overførsel
  Installerer    : 1:tcl-8.5.7-6.el6.x86_64                                1/11
  Installerer    : 1:tk-8.5.7-5.el6.x86_64                                 2/11
  Installerer    : python-setuptools-0.6.10-3.el6.noarch                   3/11
  Installerer    : 1:tix-8.4.3-5.el6.x86_64                                4/11
  Installerer    : tkinter-2.6.6-66.el6_8.x86_64                           5/11
  Installerer    : python-devel-2.6.6-66.el6_8.x86_64                      6/11
  Installerer    : python-virtualenv-1.10.1-1.el6.noarch                   7/11
  Installerer    : python-tools-2.6.6-66.el6_8.x86_64                      8/11
  Installerer    : python-pip-7.1.0-1.el6.noarch                           9/11
  Installerer    : dialog-1.1-9.20080819.1.el6.x86_64                     10/11
  Installerer    : libffi-devel-3.0.5-3.2.el6.x86_64                      11/11
  Verifying      : python-pip-7.1.0-1.el6.noarch                           1/11
  Verifying      : python-devel-2.6.6-66.el6_8.x86_64                      2/11
  Verifying      : libffi-devel-3.0.5-3.2.el6.x86_64                       3/11
  Verifying      : python-virtualenv-1.10.1-1.el6.noarch                   4/11
  Verifying      : tkinter-2.6.6-66.el6_8.x86_64                           5/11
  Verifying      : 1:tcl-8.5.7-6.el6.x86_64                                6/11
  Verifying      : dialog-1.1-9.20080819.1.el6.x86_64                      7/11
  Verifying      : 1:tk-8.5.7-5.el6.x86_64                                 8/11
  Verifying      : python-setuptools-0.6.10-3.el6.noarch                   9/11
  Verifying      : 1:tix-8.4.3-5.el6.x86_64                               10/11
  Verifying      : python-tools-2.6.6-66.el6_8.x86_64                     11/11

Installeret:
  dialog.x86_64 0:1.1-9.20080819.1.el6  libffi-devel.x86_64 0:3.0.5-3.2.el6
  python-devel.x86_64 0:2.6.6-66.el6_8  python-pip.noarch 0:7.1.0-1.el6
  python-tools.x86_64 0:2.6.6-66.el6_8  python-virtualenv.noarch 0:1.10.1-1.el6

Afhængighed installeret:
  python-setuptools.noarch 0:0.6.10-3.el6        tcl.x86_64 1:8.5.7-6.el6
  tix.x86_64 1:8.4.3-5.el6                       tk.x86_64 1:8.5.7-5.el6
  tkinter.x86_64 0:2.6.6-66.el6_8

Afsluttet!
Creating virtual environment...
Installing Python packages...
Installation succeeded.
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__                                                                                                                                                             .py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core                                                                                                                                                              team, please upgrade your Python. A future version of cryptography will drop su                                                                                                                                                             pport for Python 2.6
  DeprecationWarning
Version: 1.1-20080819
Now I was prompted with, which domain names I would use in configuration, and here I entered my hostname of my server like hostname.domain.tld
Then I had to put a email address
Next thing is certbot ask me what hostfile to use, I can only select ssl.conf, so I select it.
and I get asked for host file again, and I select ssl.conf again, and shortly after I get this message

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/hostname.domain.tld/fullchain.pem. Your cert
will expire on 2017-01-25. To obtain a new or tweaked version of
this certificate in the future, simply run certbot-auto again with
the "certonly" option. To non-interactively renew *all* of your
certificates, run "certbot-auto renew"

And in cron I have added following cronjob:

Code: Select all

@weekly /opt/certbot/certbot-auto renew --quiet --post-hook "/etc/init.d/httpd restart"
DaN
Posts: 240
Joined: 19 Nov 2014 10:04
Location: Earth

Re: How I did setup let's encrypt on my EFA

Post by DaN »

It's just for the web server, right? (Port 443 has to be reachable from internet)
cphillips
Posts: 27
Joined: 12 Nov 2016 20:16

Re: How I did setup let's encrypt on my EFA

Post by cphillips »

DaN wrote:It's just for the web server, right? (Port 443 has to be reachable from internet)
DaN

Correct - port 443 needs to be accessible. I turned on https support in the options, then followed ressels guide and it went through fine.

Thanks for the info ressel! :D

Colin
DaN
Posts: 240
Joined: 19 Nov 2014 10:04
Location: Earth

Re: How I did setup let's encrypt on my EFA

Post by DaN »

And the certificat is only used for web server?
cphillips
Posts: 27
Joined: 12 Nov 2016 20:16

Re: How I did setup let's encrypt on my EFA

Post by cphillips »

DaN wrote:And the certificat is only used for web server?
Correct.
zane93
Posts: 44
Joined: 08 Mar 2016 22:08

Re: How I did setup let's encrypt on my EFA

Post by zane93 »

Works like a charm thanks!
jamerson
Posts: 164
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: How I did setup let's encrypt on my EFA

Post by jamerson »

I have configured this with spam.domain.com however when I browse the spam.domain.com its pop up ssl error.
what have I do wrong ?
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
TheGr8Wonder
Posts: 97
Joined: 01 Jul 2017 02:32

Re: How I did setup let's encrypt on my EFA

Post by TheGr8Wonder »

This feature is coming in v3.0.2.5!! Stay tuned!! :D :D
jamerson
Posts: 164
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: How I did setup let's encrypt on my EFA

Post by jamerson »

Today i have noticed the SSL hasn't been renewed!
any suggestions why ?
Last edited by jamerson on 20 Nov 2017 03:14, edited 1 time in total.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: How I did setup let's encrypt on my EFA

Post by shawniverson »

we are using a haproxy for port 443/80
This probably won't work with letsencrypt authorization. Your haproxy is likely interfering with the tls-sni-01 authorization procedure. Certbot is planting a test cert on your website and trying to access your site, but haproxy is in the middle.
jamerson
Posts: 164
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: How I did setup let's encrypt on my EFA

Post by jamerson »

thank you for your answer,
we managed to get this fixed by configuring the EFA with a external IP.
big thank you for the support
i have a issue with outgoing email, but i won't hijack your post, i will start a new post
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: How I did setup let's encrypt on my EFA

Post by pdwalker »

jamerson,

If you have an haproxy frontend, I'd suggest that you just map the letsencrypt authentication url back to your efa box. There is no reason to make the whole efa web server exposed to the internet.
jamerson
Posts: 164
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: How I did setup let's encrypt on my EFA

Post by jamerson »

pdwalker wrote: 20 Nov 2017 08:00 jamerson,

If you have an haproxy frontend, I'd suggest that you just map the letsencrypt authentication url back to your efa box. There is no reason to make the whole efa web server exposed to the internet.
Hi Paul,
i am not sure i understand you correctly, what do you mean with to map the letsencrypt authentication url back to your efa box?
i am supposed to allow port 443/80 to the EFA in order to get the letsencrypt automatically renew the SSL ?
am i correct?
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: How I did setup let's encrypt on my EFA

Post by pdwalker »

Whoops. I missed this earlier.

jamerson, did you ever resolve your problem?
jamerson
Posts: 164
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: How I did setup let's encrypt on my EFA

Post by jamerson »

pdwalker wrote: 18 Apr 2018 12:04 Whoops. I missed this earlier.

jamerson, did you ever resolve your problem?
Thank you paul,
yes its been running for couple of weeks now with the 443 open to the internet.
waiting for the v4 hopefully it will support fail2ban on the smtp and https.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: How I did setup let's encrypt on my EFA

Post by pdwalker »

You can setup fail2ban yourself. No need to wait. I have it running. I forget how i did it, but I do remember it was easy.
Post Reply