How to get Let's Encrypt certificates for internal servers

(see the wiki page instead)

14 Likes

Ehi man I’d like to thank you on behalf the whole community for the howto!
I’d like to suggest format the post better highlighting goals and steps :slight_smile:
@docs_team would help you here

1 Like

Edited for formatting, and a few content additions.

2 Likes

Seems stuff like this would be better off in the wiki than on the forums:
https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_for_internal_servers

4 Likes

when i try to install it, like you described it in the wiki, it finished with -bash: acme.sh: command not found
any suggestion?

Hi @hucky,

did you logoff/logon after installing acme to make PATH active?

Log out and back in to activate the new PATH.

3 Likes

you got it, thank you @mrmarkuz

1 Like

f… something i do wrong, i restart the server and now it is not possible to reach the gui. httpd did not start.
got errors about the certificat.

systemd[1]: Starting The Apache HTTP Server…
httpd[4136]: AH00526: Syntax error on line 107 of /etc/httpd/conf.d/ssl.conf:
httpd[4136]: SSLCertificateKeyFile: file ‘/etc/pki/tls/private/localhost.key’ does not exist or is empty
systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
kill[4138]: kill: cannot find process ""
systemd[1]: httpd.service: control process exited, code=exited status=1
systemd[1]: Failed to start The Apache HTTP Server.
systemd[1]: Unit httpd.service entered failed state.
systemd[1]: httpd.service failed

That should have been created by the certificate-update event–it was, at least, on my clean 7.4 install. What’s the output of ls -l /etc/pki/tls/private/?

1 Like

ls: cannot access /etc/pki/tls/private/?: No such file or directory

Please try ls -l /etc/pki/tls/private/ without question mark.

1 Like

total 4
-rw------- 1 root root 0 Feb 16 11:16 httpd-admin.key
-rw------- 1 root root 0 Feb 16 11:58 localhost.key
-rw-------. 1 root root 1704 Dec 18 2016 NSRV.key

That’s strange; your key should have been placed there when you issued it. Let’s see the output of

config show pki
ls -l ~/.acme.sh/your_fqdn/
cat ~/.acme.sh/your_fqdn/your_fqdn.conf

In all three cases above, replace your_fqdn with the fully-qualified domain name of your server. In the output of the last command, mask the API key and email address.

1 Like

config show pki
pki=configuration
CertificateDuration=3650
ChainFile=/etc/pki/tls/certs/chain.pem
CommonName=SBS
CountryCode=DE
CrtFile=/etc/pki/tls/certs/cert.pem
EmailAddress=xxx@xx.de
KeyFile=/etc/pki/tls/private/privkey.pem
LetsEncrypt=disabled
LetsEncryptDomains=xxx.xxx.de
LetsEncryptMail=xxx@xxx.de
LetsEncryptRenewDays=30
Locality=Berlin
Organization=xxxxxxxxxx
OrganizationalUnitName=Main
State=Deutschland
SubjectAltName=xxx.xxxx.de,xxx.spdns.de

ls -l ~/.acme.sh/xxx.xxxxxx.de/
total 16
-rw-r–r-- 1 root root 202 Feb 16 12:36 xxxxxx.spdns.de.conf
-rw-r–r-- 1 root root 985 Feb 16 12:36 xxxxxx.spdns.de.csr
-rw-r–r-- 1 root root 212 Feb 16 12:36 xxxxxx.spdns.de.csr.conf
-rw-r–r-- 1 root root 1679 Feb 16 11:07 xxxxxx.spdns.de.key

cat ~/.acme.sh/your_fqdn/your_fqdn.conf
cat ~/.acme.sh/xxx.xxxx.de/xxx.xxx.de.conf
Le_Domain=‘xxx.xxxx.de
Le_Alt=‘no’
Le_Webroot=’/home/wwwroot/example.com,tls’
Le_PreHook=’‘
Le_PostHook=’‘
Le_RenewHook=’‘
Le_API=‘https://acme-v01.api.letsencrypt.org/directory
Le_Keylength=’’

OK, lots of problems here. You don’t have a cert generated at all. The reason for that can be seen in the .conf file. The Cloudflare credentials aren’t there, so it won’t validate domain control. The cert, key, and chain paths are missing, so acme.sh won’t copy those to the correct place. And the renew command is blank, so acme.sh won’t signal the certificate-update event after it runs.

The acme.sh command I gave on the wiki page is the same one I gave in my post here, just broken onto several lines for readability. Did you enter it exactly as shown? With the backslashes ( \ ) at the end of each line but the last?

yes, i run it exactly like it was wrote, i guess that was the error cause i do it like a cloudflare but i dont have one. very sorry for it. do you think it is possible to generate a certificat just for getting the webgui back? at the moment apache, httpd etc. wont start cause it miss the certificat :frowning: really sorry for that mess

It may be enough to set the ssl cert directives in /etc/httpd/conf.d/ssl.conf to default:

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
1 Like

hmm, it is like you wrote:
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

Sorry, I did not recognize your empty localhost.key…

I moved my key and fired certificate-update event and localhost.key is recreated.

mv /etc/pki/tls/private/localhost.key ~
signal-event certificate-update

Maybe you have to set the db props you changed to default values again.

http://docs.nethserver.org/projects/nethserver-devel/en/v7/certificate_management.html#certificate-management

My values with letsencrypt cert:

# config show pki
pki=configuration
    CertificateDuration=3650
    ChainFile=/etc/letsencrypt/live/mrmarkuz.goip.de/chain.pem
    CommonName=
    CountryCode=
    CrtFile=/etc/letsencrypt/live/mrmarkuz.goip.de/cert.pem
    EmailAddress=
    KeyFile=/etc/letsencrypt/live/mrmarkuz.goip.de/privkey.pem
    LetsEncrypt=disabled
    LetsEncryptDomains=mrmarkuz.goip.de
    LetsEncryptMail=some@mail.at
    LetsEncryptRenewDays=30
    Locality=
    Organization=
    OrganizationalUnitName=
    State=
    SubjectAltName=
1 Like

i dont get it, maybe i am too dumb. if i look at config show pki i got

ChainFile=/etc/pki/tls/certs/chain.pem
CrtFile=/etc/pki/tls/certs/cert.pem
KeyFile=/etc/pki/tls/private/privkey.pem

formerly, i guess, it was like your configuration cause i have exact this kind of folders from letsencrypt.
is there a file to edit for changing the pathes?