EFA Let's Encrypt

Testing of eFa 4
Post Reply
jamerson
Posts: 130
Joined: 19 Aug 2017 18:57
Location: kaaskop

EFA Let's Encrypt

Post by jamerson » 26 Apr 2019 11:05

Hi Guys,
i just wanna share my experience with let's encrypt.
the Cron job to renew the certificate appearntly is not working.
i have disabled the job and reanbled it to generate the new certificate.

after this done the certificate become valid.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!

User avatar
shawniverson
Posts: 2814
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: EFA Let's Encrypt

Post by shawniverson » 26 Apr 2019 18:45

Good to know. I will check and try to find out what is happening with the cron job.
Version eFa 4.0.0 RC3 now available in testing repo. Come join us in advancing eFa!

jamerson
Posts: 130
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: EFA Let's Encrypt

Post by jamerson » 06 May 2019 11:51

Today is the 3rd box SSL has been failed,
enabling it and disabling it solved the problem.
just wanna share it.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!

warlord
Posts: 14
Joined: 16 May 2019 21:21

Re: EFA Let's Encrypt

Post by warlord » 16 May 2019 21:28

Looking at the script that generates the crontab, there is a bug in the certbot cron job.
Specifically, certbot will require you to restart the applications after the certificate is renewed. That's why it appears not to work. You need a post-hook to restart httpd (and any other services).
On other systems I do this by the following files/scripts:

Code: Select all

# cat /etc/cron.weekly/certbot
/usr/bin/certbot renew  --quiet --pre-hook /usr/local/bin/certbot-pre --post-hook /usr/local/bin/certbot-post

# cat /usr/local/bin/certbot-pre
#!/bin/sh
/usr/bin/firewall-cmd --add-service http

# cat /usr/local/bin/certbot-post
#!/bin/sh
/usr/bin/firewall-cmd --remove-service http
/usr/sbin/service httpd force-reload
/usr/sbin/service postfix restart
Note that I restart postfix because, IMHO, postfix should accept TLS-based email and will need to be restarted when the certificate is renewed. I don't know if EFA configures that itself, but IMHO it should!

warlord
Posts: 14
Joined: 16 May 2019 21:21

Re: EFA Let's Encrypt

Post by warlord » 17 May 2019 18:00

One more bug in EFA's Let's Encrypt integration.
When I enabled it, it created the new certificate but didn't restart httpd to have it take effect. I had to do that manually. Obviously this is related to the cert renewal issue above.
And, of course, even though postfix is configured for TLS, it does not use the L.E. key/certificate.

warlord
Posts: 14
Joined: 16 May 2019 21:21

Re: EFA Let's Encrypt

Post by warlord » 31 May 2019 20:01

Hi,
I tracked down another certbot cron issue (see my post about the cron getpwnam errors).
Specifically, /etc/cron.d/certbotrenew is broken -- it's missing the username to run the script as.

User avatar
shawniverson
Posts: 2814
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: EFA Let's Encrypt

Post by shawniverson » 28 Jul 2019 15:31

Testing now. I left off the port 80 on/off becuase port 80 is open by default on eFa4 to redirect to https, but I think I will test port 80 and then toggle it, but only if it is off to start with.
Version eFa 4.0.0 RC3 now available in testing repo. Come join us in advancing eFa!

warlord
Posts: 14
Joined: 16 May 2019 21:21

Re: EFA Let's Encrypt

Post by warlord » 29 Jul 2019 14:08

shawniverson wrote:
28 Jul 2019 15:31
Testing now. I left off the port 80 on/off becuase port 80 is open by default on eFa4 to redirect to https, but I think I will test port 80 and then toggle it, but only if it is off to start with.
I think it's safe to just leave that off if you think 80 is always open. But yeah, if 80 is off, you might need to open and close it, but I don't know how best to toggle that within the scripts.

Post Reply