OK, so I finally got around to installing/testing LetsEncrypt on my current 6.8 system following this guide. I installed the additional rpms, from the regular repositories, as they’ve been promoted from “testing”:
yum install nethserver-letsencrypt letsencrypt.sh
And nethserver-base and nethsever-httpd are already at the required level. Ran the test configure, which appeared to work OK:
[root@NethServer ~]# /usr/libexec/nethserver/letsencrypt-certs -v -t
/usr/sbin/letsencrypt.sh --cron --config /tmp/kVXVmQdrO4/config.sh -d NethServer.BogoLinux.net
# INFO: Using main config file /tmp/kVXVmQdrO4/config.sh
+ Generating account key...
+ Registering account key with letsencrypt...
Processing nethserver.bogolinux.net
+ Signing domains...
+ Creating new directory /tmp/kVXVmQdrO4/certs/nethserver.bogolinux.net ...
+ Generating private key...
+ Generating signing request...
+ Requesting challenge for nethserver.bogolinux.net...
+ Responding to challenge for nethserver.bogolinux.net...
+ Challenge is valid!
+ Requesting certificate...
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
+ Done!
[root@NethServer ~]#
So went ahead with the real deal:
[root@NethServer ~]# /usr/libexec/nethserver/letsencrypt-certs -v
/usr/sbin/letsencrypt.sh --cron --config /etc/letsencrypt.sh/config.sh -d NethServer.BogoLinux.net
# INFO: Using main config file /etc/letsencrypt.sh/config.sh
+ Generating account key...
+ Registering account key with letsencrypt...
Processing nethserver.bogolinux.net
+ Signing domains...
+ Creating new directory /etc/letsencrypt.sh/certs/nethserver.bogolinux.net ...
+ Generating private key...
+ Generating signing request...
+ Requesting challenge for nethserver.bogolinux.net...
+ Responding to challenge for nethserver.bogolinux.net...
+ Challenge is valid!
+ Requesting certificate...
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
+ Done!
[root@NethServer ~]#
Switched to another system and ran a quick check to see what certificate was being presented:
[eddieath@IIB ~]$ openssl s_client -connect www.bogolinux.net:443
CONNECTED(00000003)
depth=0 CN = NethServer, O = BogoLinux Net, ST = CA, OU = SomeOrganizationalUnit, emailAddress = root@NethServer.BogoLinux.net, C = US, subjectAltName = *.BogoLinux.net, L = Los Angeles
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = NethServer, O = BogoLinux Net, ST = CA, OU = SomeOrganizationalUnit, emailAddress = root@NethServer.BogoLinux.net, C = US, subjectAltName = *.BogoLinux.net, L = Los Angeles
verify return:1
Certificate chain
0 s:/CN=NethServer/O=BogoLinux Net/ST=CA/OU=SomeOrganizationalUnit/emailAddress=root@NethServer.BogoLinux.net/C=US/subjectAltName=.BogoLinux.net/L=Los Angeles
i:/CN=NethServer/O=BogoLinux Net/ST=CA/OU=SomeOrganizationalUnit/emailAddress=root@NethServer.BogoLinux.net/C=US/subjectAltName=.BogoLinux.net/L=Los Angeles
Oops. That’s still the original self signed certificate, not the LetsEncrypt. Just for sh!ts and giggles, I restarted the httpd service:
[root@NethServer ~]service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
[root@NethServer ~]#
Still didn’t make any difference, still getting the original self-signed. So, digging around further, it looks like the new certificates didn’t make it into the httpd.conf:
[root@NethServer ~]# cat /etc/httpd/conf.d/ssl.conf
# ================= DO NOT MODIFY THIS FILE =================
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at https://dev.nethesis.it/projects/nethserver/wiki/NethServer
# original work from http://www.contribs.org/development/
#
# Copyright (C) 2013 Nethesis S.r.l.
# http://www.nethesis.it - support@nethesis.it
#
LoadModule ssl_module modules/mod_ssl.so
Listen 443
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
# SSLCertificateChainFile
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES;
[root@NethServer ~]#
A little more digging shows that they didn’t make it to the configuration DB:
[root@NethServer ~]# config show pki
pki=configuration
CertificateDuration=3650
ChainFile=
CommonName=NethServer
CountryCode=US
CrtFile=
EmailAddress=
KeyFile=
LetsEncrypt=enabled
LetsEncryptMail=admin@BogoLinux.net
LetsEncryptRenewDays=30
Locality=Los Angeles
Organization=BogoLinux Net
OrganizationalUnitName=Main
State=CA
SubjectAltName=*.BogoLinux.net
[root@NethServer ~]#
Any ideas on what I missed/goofed up on.
Cheers.