diff options
| author | Andreas Baumann <mail@andreasbaumann.cc> | 2018-02-01 22:19:40 +0100 |
|---|---|---|
| committer | Andreas Baumann <mail@andreasbaumann.cc> | 2018-02-01 22:19:40 +0100 |
| commit | 6e869009e58224259df8845dec67910b19e0443e (patch) | |
| tree | d68c643155e263d3ed360593c883ba263e16e014 /static | |
| parent | f7bc29989b3850b1deffd9204dacd1bc0cb51eb2 (diff) | |
| download | www-andreasbaumann-cc-6e869009e58224259df8845dec67910b19e0443e.tar.gz www-andreasbaumann-cc-6e869009e58224259df8845dec67910b19e0443e.tar.bz2 | |
added HOWTO.LetsEncrypt
Diffstat (limited to 'static')
| -rw-r--r-- | static/howtos/HOWTO.LetsEncrypt | 116 |
1 files changed, 116 insertions, 0 deletions
diff --git a/static/howtos/HOWTO.LetsEncrypt b/static/howtos/HOWTO.LetsEncrypt new file mode 100644 index 0000000..3d5c630 --- /dev/null +++ b/static/howtos/HOWTO.LetsEncrypt @@ -0,0 +1,116 @@ +1) The official packages in EPEL are broken (at least I was unable to install them). + +2) Guide on https://www.svennd.be/lets-encrypt-with-centos-6-7/ + +https://acme-v01.api.letsencrypt.org:443 "POST /acme/new-reg HTTP/1.1" 500 109 +Received response: +HTTP 500 +Server: nginx +Content-Type: application/problem+json +Content-Length: 109 +Boulder-Request-Id: c77q1COmALMLIgG9WxjOUsXmj0UN9dt4oUWEe-S_Su0 +Replay-Nonce: x5MSSJadipC0jW_qyG7XN8wGBjeNn3eF5bbTe2ciwYM +Expires: Wed, 09 Aug 2017 05:23:01 GMT +Cache-Control: max-age=0, no-cache, no-store +Pragma: no-cache +Date: Wed, 09 Aug 2017 05:23:01 GMT +Connection: close + +{ + "type": "urn:acme:error:serverInternal", + "detail": "Error creating new registration", + "status": 500 +} +Storing nonce: x5MSSJadipC0jW_qyG7XN8wGBjeNn3eF5bbTe2ciwYM +Exiting abnormally: +Traceback (most recent call last): + File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module> + sys.exit(main()) + File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/main.py", line 753, in main + return config.func(config, plugins) + File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/main.py", line 598, in run + le_client = _init_le_client(config, authenticator, installer) + File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/main.py", line 390, in _init_le_client + acc, acme = _determine_account(config) + File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/main.py", line 375, in _determine_account + config, account_storage, tos_cb=_tos_cb) + File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/client.py", line 165, in register + regr = perform_registration(acme, config) + File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/client.py", line 195, in perform_registration + return acme.register(messages.NewRegistration.from_data(email=config.email)) + File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 97, in register + response = self.net.post(self.directory[new_reg], new_reg) + File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 682, in post + return self._post_once(*args, **kwargs) + File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 695, in _post_once + return self._check_response(response, content_type=content_type) + File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 582, in _check_response + raise messages.Error.from_json(jobj) +Error: urn:acme:error:serverInternal :: The server experienced an internal error :: Error creating new registration +An unexpected error occurred: +The server experienced an internal error :: Error creating new registration +Please see the logfiles in /var/log/letsencrypt for more details. + +and installs half of Python bullshit onto machine! + +This is no way, compare to acme_client on OpenBSD. + +3) https://kristaps.bsd.lv/acme-client/ + +yum install openssl-devel libbsd-devel gnutls-devel +wget https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.6.0.tar.gz +#build libreesl to /usr/local/ +make +make install +# follow https://spin.atomicobject.com/2016/09/20/openbsd-acme-client-lets-encrypt/ +cat >/etc/ld.so.conf.d/local.conf <<EOF +/usr/local/lib/ +EOF +ldconfig + +wget -O /etc/ssl/cert.pem 'https://raw.githubusercontent.com/libressl-portable/openbsd/master/src/lib/libcrypto/cert.pem' + +acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:connection", "detail": "DNS problem: query timed out looking up A for www.eurospider.com", "status": 400 }, "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/x0oE6rQYMBh6qQIisSzqZecrRFkED-7u7Y-vuid5kKw/1713819082", "token": "IzPOcU-2sFKk65DAk3egE1g2j17f9K3V_pcG0KvrfjQ", "keyAuthorization": "IzPOcU-2sFKk65DAk3egE1g2j17f9K3V_pcG0KvrfjQ.xbEUn0BT4rXH5TjxcmmW1Yjoyb1GWDrQEByNfXawgRc", "validationRecord": [ { "url": "http://www.eurospider.com/.well-known/acme-challenge/IzPOcU-2sFKk65DAk3egE1g2j17f9K3V_pcG0KvrfjQ", "hostname": "www.eurospider.com", "port": "80", "addressesResolved": [], "addressUsed": "", "addressesTried": [] } ] }] (792 bytes) + +CNAME DNS entries don't work, so we must provide the real machine as primary host, +everything else as SANs. + +acme-client -v -n -N -F -b -e \ + -C /var/www/acme \ + -c /etc/ssl/acme \ + -k /etc/ssl/acme/private/privkey.pem \ + -f /etc/acme/privkey.pem www.eurospider.com eurospider.com innobib.news www.innobib.news www.tenders.ch + +-b create backups +-F is to update even if the current certificate is still valid +-e is needed to avoid revocation and expanding the list of SANs. + +webserver: + +main http.conf: + +<Directory "/var/www/acme/.well-known/"> + Options None + AllowOverride None + Order Deny,Allow + Allow from All + Header add Content-Type text/plain +</Directory> + +for every domain we want a certificate for (in the non-SSL-version of the virtual +host configuration): + +Alias /.well-known/acme-challenge/ /var/www/acme/ + + RewriteEngine On + RewriteCond %{HTTPS} !=on + RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/ + RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] + + +links +----- + +https://www.metachris.com/2015/12/comparison-of-10-acme-lets-encrypt-clients/ +https://medium.com/chris-opperwall/using-acme-client-for-letsencrypt-on-freebsd-db0ee643ef1f + |